Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HkObDPju6Z.exe

Overview

General Information

Sample Name:HkObDPju6Z.exe
Original Sample Name:723d1cf3d74fb3ce95a77ed9dff257a78c8af8e67a82963230dd073781074224.exe
Analysis ID:886219
MD5:6441d7260944bcedc5958c5c8a05d16d
SHA1:46257982840493eca90e051ff1749e7040895584
SHA256:723d1cf3d74fb3ce95a77ed9dff257a78c8af8e67a82963230dd073781074224
Tags:exe
Infos:

Detection

BlackBasta
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected BlackBasta ransomware
Found ransom note / readme
Antivirus / Scanner detection for submitted sample
Detected unpacking (creates a PE file in dynamic memory)
Infects executable files (exe, dll, sys, html)
Found Tor onion address
Machine Learning detection for sample
May disable shadow drive data (uses vssadmin)
Writes many files with high entropy
Writes a notice file (html or txt) to demand a ransom
Deletes shadow drive data (may be related to ransomware)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Abnormal high CPU Usage
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Contains functionality to read the PEB
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • HkObDPju6Z.exe (PID: 6028 cmdline: C:\Users\user\Desktop\HkObDPju6Z.exe MD5: 6441D7260944BCEDC5958C5C8A05D16D)
    • cmd.exe (PID: 4148 cmdline: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 1572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • vssadmin.exe (PID: 7056 cmdline: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet MD5: 47D51216EF45075B5F7EAA117CC70E40)
  • HkObDPju6Z.exe (PID: 7028 cmdline: "C:\Users\user\Desktop\HkObDPju6Z.exe" MD5: 6441D7260944BCEDC5958C5C8A05D16D)
    • cmd.exe (PID: 1852 cmdline: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • vssadmin.exe (PID: 6840 cmdline: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet MD5: 47D51216EF45075B5F7EAA117CC70E40)
  • HkObDPju6Z.exe (PID: 4652 cmdline: "C:\Users\user\Desktop\HkObDPju6Z.exe" MD5: 6441D7260944BCEDC5958C5C8A05D16D)
    • cmd.exe (PID: 5708 cmdline: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • vssadmin.exe (PID: 5700 cmdline: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet MD5: 47D51216EF45075B5F7EAA117CC70E40)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Black Basta"Black Basta" is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.371931160.00000000034E0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
    00000008.00000002.477620370.0000000003220000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
      00000006.00000002.463365199.0000000003600000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
        Process Memory Space: HkObDPju6Z.exe PID: 6028JoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
          Process Memory Space: HkObDPju6Z.exe PID: 7028JoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.HkObDPju6Z.exe.3600000.1.raw.unpackJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
              6.2.HkObDPju6Z.exe.3600000.1.unpackJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
                8.2.HkObDPju6Z.exe.3220000.1.unpackJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
                  8.2.HkObDPju6Z.exe.3220000.1.raw.unpackJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
                    0.3.HkObDPju6Z.exe.34e0000.0.unpackJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
                      Click to see the 1 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      No Snort rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: HkObDPju6Z.exeReversingLabs: Detection: 59%
                      Source: HkObDPju6Z.exeVirustotal: Detection: 63%Perma Link
                      Antivirus / Scanner detection for submitted sample
                      Source: HkObDPju6Z.exeAvira: detected
                      Machine Learning detection for sample
                      Source: HkObDPju6Z.exeJoe Sandbox ML: detected

                      Compliance

                      barindex
                      Detected unpacking (creates a PE file in dynamic memory)
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeUnpacked PE file: 6.2.HkObDPju6Z.exe.3600000.1.unpack
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeUnpacked PE file: 8.2.HkObDPju6Z.exe.3220000.1.unpack
                      Source: HkObDPju6Z.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Google\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\internet explorer\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\MSBuild\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Reference Assemblies\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Uninstall Information\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\UNP\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Defender\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Defender Advanced Threat Protection\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Mail\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Media Player\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Multimedia Platform\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\windows nt\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Photo Viewer\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Portable Devices\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Security\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\WindowsPowerShell\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\Services\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\system\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Google\Chrome\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\internet explorer\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\internet explorer\images\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\internet explorer\SIGNUP\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\Office16\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\MSBuild\Microsoft\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Reference Assemblies\Microsoft\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\UNP\Logs\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\UNP\UpdateNotificationMgr\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Defender\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Defender\Offline\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Media Player\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Media Player\Media Renderer\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Media Player\Network Sharing\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Media Player\Skins\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Media Player\Visualizations\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\windows nt\accessories\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\windows nt\tabletextservice\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Photo Viewer\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Security\BrowserCore\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Filters\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\MSInfo\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\OFFICE16\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Stationery\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\TextConv\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Triedit\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\VC\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\vgx\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\VSTO\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\system\ado\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\system\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\system\msadc\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\system\ole db\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Google\Chrome\Application\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\Office16\1033\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\Office16\OneNote\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\windows nt\accessories\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\windows nt\tabletextservice\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Security\BrowserCore\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\PackageManagement\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\Pester\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\PSReadline\instructions_read_me.txtJump to behavior
                      Source: HkObDPju6Z.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: Binary string: P:\Target\x86\ship\msicustomactions\x-none\diagnoseca.pdbeca.pdb00000000000000 source: WordMUI.msi.0.dr
                      Source: Binary string: HfDons\x-none\ocfxca.pdb source: WordMUI.msi.0.dr
                      Source: Binary string: Gbqhxds.pdb source: WordMUI.msi.0.dr
                      Source: Binary string: E:\cpp\calc\Bin\Release_x86_v143\minipath.pdb source: HkObDPju6Z.exe
                      Source: Binary string: hca.pdb source: WordMUI.msi.0.dr
                      Source: Binary string: Gbqhxds.pdbxds.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: WordMUI.msi.0.dr
                      Source: Binary string: ]{Hw\x-none\mshelp\reghh20.pdbh20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: WordMUI.msi.0.dr
                      Source: Binary string: ]{Hw\x-none\mshelp\reghh20.pdb source: WordMUI.msi.0.dr
                      Source: Binary string: P:\Target\x86\ship\msicustomactions\x-none\abortmsica.pdb source: WordMUI.msi.0.dr
                      Source: Binary string: _}@actions\x-none\patchca.pdb source: WordMUI.msi.0.dr
                      Source: Binary string: ica.pdb source: WordMUI.msi.0.dr
                      Source: Binary string: per.pdb source: setup.dll.0.dr
                      Source: Binary string: eca.pdb source: WordMUI.msi.0.dr
                      Source: Binary string: _}@actions\x-none\patchca.pdbhca.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: WordMUI.msi.0.dr
                      Source: Binary string: h20.pdb source: WordMUI.msi.0.dr
                      Source: Binary string: P:\Target\x86\ship\msicustomactions\x-none\abortmsica.pdbica.pdb0000000000000000000000 source: WordMUI.msi.0.dr
                      Source: Binary string: P:\Target\x86\ship\setupexe\x-none\setupbootstrapper.pdbper.pdb000Ut source: setup.dll.0.dr
                      Source: Binary string: HfDons\x-none\ocfxca.pdbxca.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: WordMUI.msi.0.dr
                      Source: Binary string: P:\Target\x86\ship\msicustomactions\x-none\diagnoseca.pdb source: WordMUI.msi.0.dr
                      Source: Binary string: P:\Target\x86\ship\setupexe\x-none\setupbootstrapper.pdb source: setup.dll.0.dr
                      Source: Binary string: xds.pdb source: WordMUI.msi.0.dr
                      Source: Binary string: xca.pdb source: WordMUI.msi.0.dr

                      Spreading

                      barindex
                      Infects executable files (exe, dll, sys, html)
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeSystem file written: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_0025605C FindFirstFileExW,6_2_0025605C
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_0020E3D0 PathCompactPathExW,LoadStringW,LoadStringW,LoadStringW,SendMessageW,GetParent,DoDragDrop,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SHGetDataFromIDListW,FindFirstFileW,FindClose,StrFormatByteSizeW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetDateFormatW,GetTimeFormatW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,wsprintfW,SendMessageW,wsprintfW,lstrcmpW,SendMessageW,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,StrRetToBufW,StrRetToBufW,StrRetToBufW,SHGetFileInfoW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,lstrcmpW,6_2_0020E3D0
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_00256446 FindFirstFileExW,FindNextFileW,FindClose,FindClose,6_2_00256446

                      Networking

                      barindex
                      Found Tor onion address
                      Source: HkObDPju6Z.exe, 00000000.00000003.371931160.00000000034E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: HkObDPju6Z.exe, 00000006.00000002.463365199.0000000003600000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: HkObDPju6Z.exe, 00000006.00000002.463304811.0000000003440000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: HkObDPju6Z.exe, 00000008.00000002.477620370.0000000003220000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: HkObDPju6Z.exe, 00000008.00000002.477563045.00000000030C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt59.0.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt56.0.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt74.0.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt71.0.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt65.0.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt2.0.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: PptLR.cab.0.drString found in binary or memory: http://office.micro
                      Source: HkObDPju6Z.exe, 00000000.00000003.371931160.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000006.00000002.463365199.0000000003600000.00000040.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000006.00000002.463304811.0000000003440000.00000004.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000008.00000002.477620370.0000000003220000.00000040.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000008.00000002.477563045.00000000030C0000.00000004.00001000.00020000.00000000.sdmp, instructions_read_me.txt59.0.dr, instructions_read_me.txt56.0.dr, instructions_read_me.txt74.0.dr, instructions_read_me.txt71.0.dr, instructions_read_me.txt65.0.dr, instructions_read_me.txt2.0.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: HkObDPju6Z.exeString found in binary or memory: https://www.flos-freeware.ch
                      Source: HkObDPju6Z.exeString found in binary or memory: https://www.flos-freeware.chopenmailto:florian.balmer
                      Source: HkObDPju6Z.exeString found in binary or memory: https://www.rizonesoft.com
                      Source: HkObDPju6Z.exe, 00000000.00000003.371931160.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000006.00000002.463365199.0000000003600000.00000040.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000008.00000002.477620370.0000000003220000.00000040.00001000.00020000.00000000.sdmp, instructions_read_me.txt59.0.dr, instructions_read_me.txt56.0.dr, instructions_read_me.txt74.0.dr, instructions_read_me.txt71.0.dr, instructions_read_me.txt65.0.dr, instructions_read_me.txt2.0.drString found in binary or memory: https://www.torproject.org/

                      Spam, unwanted Advertisements and Ransom Demands

                      barindex
                      Yara detected BlackBasta ransomware
                      Source: Yara matchFile source: 6.2.HkObDPju6Z.exe.3600000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.HkObDPju6Z.exe.3600000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.HkObDPju6Z.exe.3220000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.HkObDPju6Z.exe.3220000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.HkObDPju6Z.exe.34e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.HkObDPju6Z.exe.34e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000003.371931160.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.477620370.0000000003220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.463365199.0000000003600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: HkObDPju6Z.exe PID: 6028, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: HkObDPju6Z.exe PID: 7028, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: HkObDPju6Z.exe PID: 4652, type: MEMORYSTR
                      Found ransom note / readme
                      Source: C:\Program Files\Windows Defender\Offline\instructions_read_me.txtDropped file: ATTENTION!Your network has been breached and all data was encrypted. Please contact us at:https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login ID: 26d371a9-efda-4e82-9989-01e292244d65*!* To access .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us)*!* To restore all your PCs and get your network working again, follow these instructions:- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.Please follow these simple rules to avoid data corruption:- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself.Waiting you in a chat.Jump to dropped file
                      May disable shadow drive data (uses vssadmin)
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Writes many files with high entropy
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab entropy: 7.99965605307Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab entropy: 7.99967707845Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab entropy: 7.99943691441Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab entropy: 7.99980996483Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab entropy: 7.99912178904Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab entropy: 7.99982545137Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab entropy: 7.99993160516Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0090-0409-0000-0000000FF1CE}-C\DCFMUI.cab entropy: 7.99920950933Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab entropy: 7.99391529268Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab entropy: 7.99989863317Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-00E2-0409-0000-0000000FF1CE}-C\OSMUXMUI.cab entropy: 7.99984999643Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab entropy: 7.99992937711Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab entropy: 7.99992916048Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab entropy: 7.99856329527Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-012B-0409-0000-0000000FF1CE}-C\LyncMUI.cab entropy: 7.99982011438Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt.chm entropy: 7.99491747102Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab entropy: 7.99994142291Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\Program Files (x86)\autoit3\AutoIt.chm.7878kr5jx (copy) entropy: 7.99491747102Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.7878kr5jx (copy) entropy: 7.99994142291Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.7878kr5jx (copy) entropy: 7.99965605307Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab.7878kr5jx (copy) entropy: 7.99967707845Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.7878kr5jx (copy) entropy: 7.99943691441Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.7878kr5jx (copy) entropy: 7.99980996483Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.7878kr5jx (copy) entropy: 7.99912178904Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.7878kr5jx (copy) entropy: 7.99982545137Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0090-0409-0000-0000000FF1CE}-C\DCFMUI.cab.7878kr5jx (copy) entropy: 7.99920950933Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.7878kr5jx (copy) entropy: 7.99391529268Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.7878kr5jx (copy) entropy: 7.99989863317Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-00E2-0409-0000-0000000FF1CE}-C\OSMUXMUI.cab.7878kr5jx (copy) entropy: 7.99984999643Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.7878kr5jx (copy) entropy: 7.99992916048Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab.7878kr5jx (copy) entropy: 7.99993160516Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.7878kr5jx (copy) entropy: 7.99856329527Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-012B-0409-0000-0000000FF1CE}-C\LyncMUI.cab.7878kr5jx (copy) entropy: 7.99982011438Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.7878kr5jx (copy) entropy: 7.99992937711Jump to dropped file
                      Writes a notice file (html or txt) to demand a ransom
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile dropped: C:\Program Files\Windows Defender\Offline\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile dropped: C:\MSOCache\All Users\{90160000-001B-0409-0000-0000000FF1CE}-C\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile dropped: C:\Program Files\Windows Defender Advanced Threat Protection\en-US\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile dropped: C:\MSOCache\All Users\{90160000-002C-0409-0000-0000000FF1CE}-C\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile dropped: C:\Program Files\Windows Media Player\en-US\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile dropped: C:\Program Files\Google\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile dropped: C:\Program Files\internet explorer\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile dropped: C:\Program Files\Microsoft Office\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile dropped: C:\Program Files\MSBuild\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile dropped: C:\Program Files\Reference Assemblies\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.Jump to dropped file
                      Deletes shadow drive data (may be related to ransomware)
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: HkObDPju6Z.exe, 00000000.00000003.371931160.00000000034E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: HkObDPju6Z.exe, 00000000.00000003.371931160.00000000034E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: @xh.7878kr5jxC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet4
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: cmd.exe, 00000001.00000002.374399164.00000000030A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\cmd.exe/cC:\Windows\SysNative\vssadmin.exedeleteshadows/all/quiets\ha
                      Source: cmd.exe, 00000001.00000002.374399164.00000000030A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: indows\system32\cmd.exe c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 00000001.00000002.374318259.0000000002CE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
                      Source: cmd.exe, 00000001.00000002.374318259.0000000002CE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 00000001.00000002.374318259.0000000002CE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 00000001.00000002.374318259.0000000002CE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 00000001.00000002.374301135.0000000002BF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
                      Source: cmd.exe, 00000001.00000002.374301135.0000000002BF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exexeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietnsC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet=CWinsta0\DefaultDat=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProg\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideiersmmon FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProg\Regi\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideram Files (xE
                      Source: vssadmin.exe, 00000003.00000002.374108724.000001DA56200000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietWinsta0\DefaultC
                      Source: vssadmin.exe, 00000003.00000002.374108724.000001DA56200000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: vssadmin.exe, 00000003.00000002.374147559.000001DA564D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exedeleteshadows/all/quiet
                      Source: HkObDPju6Z.exe, 00000006.00000002.463267031.00000000015D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ws\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: HkObDPju6Z.exe, 00000006.00000002.463267031.00000000015D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ws\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietF
                      Source: HkObDPju6Z.exe, 00000006.00000002.463267031.00000000015D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: indows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet!
                      Source: HkObDPju6Z.exe, 00000006.00000002.463253213.0000000001480000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default
                      Source: HkObDPju6Z.exe, 00000006.00000002.463365199.0000000003600000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: HkObDPju6Z.exe, 00000006.00000002.463365199.0000000003600000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: xh.7878kr5jxC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet4
                      Source: HkObDPju6Z.exe, 00000008.00000002.477620370.0000000003220000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: HkObDPju6Z.exe, 00000008.00000002.477620370.0000000003220000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: xh.7878kr5jxC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet4
                      Source: HkObDPju6Z.exe, 00000008.00000002.477507649.0000000001207000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ws\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: HkObDPju6Z.exe, 00000008.00000002.477494135.00000000011D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: cmd.exe, 0000000A.00000002.461433351.0000000003560000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\cmd.exe/cC:\Windows\SysNative\vssadmin.exedeleteshadows/all/quiets\ha
                      Source: cmd.exe, 0000000A.00000002.461433351.0000000003560000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: indows\system32\cmd.exe c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 0000000A.00000002.460463531.0000000003270000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
                      Source: cmd.exe, 0000000A.00000002.460463531.0000000003270000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exexeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietnsC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet=CWinsta0\DefaultDat=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProg\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideiersmmon FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProg\Regi\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideram Files (xE
                      Source: cmd.exe, 0000000A.00000002.459523393.0000000003140000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
                      Source: cmd.exe, 0000000A.00000002.459523393.0000000003140000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 0000000A.00000002.459523393.0000000003140000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 0000000A.00000002.459523393.0000000003140000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: vssadmin.exe, 0000000C.00000002.454424473.0000023F78645000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exedeleteshadows/all/quiet
                      Source: vssadmin.exe, 0000000C.00000002.454362797.000000B53E9AB000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00006840- TID: 00001768- CMD: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002
                      Source: vssadmin.exe, 0000000C.00000002.454438071.0000023F78672000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00006840- TID: 00001768- CMD: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002
                      Source: vssadmin.exe, 0000000C.00000002.454438071.0000023F78660000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietWinsta0\Default
                      Source: vssadmin.exe, 0000000C.00000002.454438071.0000023F78660000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: cmd.exe, 0000000D.00000002.473127980.0000000002DC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
                      Source: cmd.exe, 0000000D.00000002.473127980.0000000002DC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exexeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietnsC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet=CWinsta0\DefaultDat=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProg\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideiersmmon FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProg\Regi\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideram Files (xE
                      Source: cmd.exe, 0000000D.00000002.469976377.0000000002DB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\cmd.exe/cC:\Windows\SysNative\vssadmin.exedeleteshadows/all/quiets\haTw
                      Source: cmd.exe, 0000000D.00000002.469976377.0000000002DB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: indows\system32\cmd.exe c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 0000000D.00000002.473823877.0000000002EC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
                      Source: cmd.exe, 0000000D.00000002.473823877.0000000002EC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 0000000D.00000002.473823877.0000000002EC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 0000000D.00000002.473823877.0000000002EC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: vssadmin.exe, 0000000F.00000002.463763025.000001A7DE5A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietWinsta0\Defaultf
                      Source: vssadmin.exe, 0000000F.00000002.463763025.000001A7DE5A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: vssadmin.exe, 0000000F.00000002.463763025.000001A7DE5A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet"
                      Source: vssadmin.exe, 0000000F.00000002.463763025.000001A7DE5B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00005700- TID: 00005672- CMD: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002
                      Source: vssadmin.exe, 0000000F.00000002.463695666.0000007A194FB000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00005700- TID: 00005672- CMD: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002
                      Source: vssadmin.exe, 0000000F.00000002.463870704.000001A7DE825000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exedeleteshadows/all/quiet9
                      Source: HkObDPju6Z.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_001F4B906_2_001F4B90
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_002241506_2_00224150
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_0023A1846_2_0023A184
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_002382A66_2_002382A6
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_0023A5A56_2_0023A5A5
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_002245906_2_00224590
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_002385EE6_2_002385EE
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_002685C06_2_002685C0
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_0020A8006_2_0020A800
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_002389456_2_00238945
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_0023A9D56_2_0023A9D5
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_0025EA876_2_0025EA87
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_00238C8D6_2_00238C8D
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_00250EC26_2_00250EC2
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_00208FD06_2_00208FD0
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_0023901B6_2_0023901B
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_0022107A6_2_0022107A
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: String function: 00253118 appears 38 times
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: String function: 00213DA0 appears 37 times
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess Stats: CPU usage > 98%
                      Source: HkObDPju6Z.exe, 00000000.00000000.355154571.000000000030E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameminipath.exeD vs HkObDPju6Z.exe
                      Source: HkObDPju6Z.exe, 00000006.00000000.395307334.000000000030E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameminipath.exeD vs HkObDPju6Z.exe
                      Source: HkObDPju6Z.exe, 00000008.00000000.415644686.000000000030E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameminipath.exeD vs HkObDPju6Z.exe
                      Source: HkObDPju6Z.exeBinary or memory string: OriginalFilenameminipath.exeD vs HkObDPju6Z.exe
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeSection loaded: fdgmnfmfhdfgsndhfd.dllJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeSection loaded: fdgmnfmfhdfgsndhfd.dllJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeSection loaded: fdgmnfmfhdfgsndhfd.dllJump to behavior
                      Source: HkObDPju6Z.exeReversingLabs: Detection: 59%
                      Source: HkObDPju6Z.exeVirustotal: Detection: 63%
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\HkObDPju6Z.exe C:\Users\user\Desktop\HkObDPju6Z.exe
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: unknownProcess created: C:\Users\user\Desktop\HkObDPju6Z.exe "C:\Users\user\Desktop\HkObDPju6Z.exe"
                      Source: unknownProcess created: C:\Users\user\Desktop\HkObDPju6Z.exe "C:\Users\user\Desktop\HkObDPju6Z.exe"
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: C:\Windows\System32\vssadmin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2C2787D-95AB-40D4-942D-298F5F757874}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\Users\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\Users\user\AppData\Local\Temp\fkdjsadasd.icoJump to behavior
                      Source: classification engineClassification label: mal100.rans.spre.evad.winEXE@18/400@0/0
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_00206080 CoCreateInstance,lstrcpyW,ExpandEnvironmentStringsW,lstrcpynW,6_2_00206080
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_00202F30 GetLastError,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalFree,GetFocus,MessageBoxExW,LocalFree,LocalFree,6_2_00202F30
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1572:120:WilError_01
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeMutant created: \Sessions\1\BaseNamedObjects\ofijweiuhuewhcsaxs.mutex
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5688:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6824:120:WilError_01
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_0021132D LoadResource,6_2_0021132D
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\Program Files\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCommand line argument: *.*6_2_00208650
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCommand line argument: TaskbarCreated6_2_00208650
                      Source: HkObDPju6Z.exeStatic file information: File size 1489920 > 1048576
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Google\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\internet explorer\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\MSBuild\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Reference Assemblies\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Uninstall Information\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\UNP\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Defender\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Defender Advanced Threat Protection\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Mail\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Media Player\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Multimedia Platform\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\windows nt\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Photo Viewer\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Portable Devices\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Security\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\WindowsPowerShell\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\Services\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\system\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Google\Chrome\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\internet explorer\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\internet explorer\images\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\internet explorer\SIGNUP\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\Office16\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\MSBuild\Microsoft\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Reference Assemblies\Microsoft\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\UNP\Logs\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\UNP\UpdateNotificationMgr\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Defender\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Defender\Offline\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Media Player\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Media Player\Media Renderer\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Media Player\Network Sharing\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Media Player\Skins\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Media Player\Visualizations\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\windows nt\accessories\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\windows nt\tabletextservice\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Photo Viewer\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Security\BrowserCore\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Filters\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\MSInfo\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\OFFICE16\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Stationery\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\TextConv\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Triedit\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\VC\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\vgx\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\VSTO\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\system\ado\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\system\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\system\msadc\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\system\ole db\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Google\Chrome\Application\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\Office16\1033\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\Office16\OneNote\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\windows nt\accessories\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\windows nt\tabletextservice\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Security\BrowserCore\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\PackageManagement\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\Pester\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\PSReadline\instructions_read_me.txtJump to behavior
                      Source: HkObDPju6Z.exeStatic PE information: section name: RT_CURSOR
                      Source: HkObDPju6Z.exeStatic PE information: section name: RT_BITMAP
                      Source: HkObDPju6Z.exeStatic PE information: section name: RT_ICON
                      Source: HkObDPju6Z.exeStatic PE information: section name: RT_MENU
                      Source: HkObDPju6Z.exeStatic PE information: section name: RT_DIALOG
                      Source: HkObDPju6Z.exeStatic PE information: section name: RT_STRING
                      Source: HkObDPju6Z.exeStatic PE information: section name: RT_ACCELERATOR
                      Source: HkObDPju6Z.exeStatic PE information: section name: RT_GROUP_ICON
                      Source: HkObDPju6Z.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: HkObDPju6Z.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: P:\Target\x86\ship\msicustomactions\x-none\diagnoseca.pdbeca.pdb00000000000000 source: WordMUI.msi.0.dr
                      Source: Binary string: HfDons\x-none\ocfxca.pdb source: WordMUI.msi.0.dr
                      Source: Binary string: Gbqhxds.pdb source: WordMUI.msi.0.dr
                      Source: Binary string: E:\cpp\calc\Bin\Release_x86_v143\minipath.pdb source: HkObDPju6Z.exe
                      Source: Binary string: hca.pdb source: WordMUI.msi.0.dr
                      Source: Binary string: Gbqhxds.pdbxds.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: WordMUI.msi.0.dr
                      Source: Binary string: ]{Hw\x-none\mshelp\reghh20.pdbh20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: WordMUI.msi.0.dr
                      Source: Binary string: ]{Hw\x-none\mshelp\reghh20.pdb source: WordMUI.msi.0.dr
                      Source: Binary string: P:\Target\x86\ship\msicustomactions\x-none\abortmsica.pdb source: WordMUI.msi.0.dr
                      Source: Binary string: _}@actions\x-none\patchca.pdb source: WordMUI.msi.0.dr
                      Source: Binary string: ica.pdb source: WordMUI.msi.0.dr
                      Source: Binary string: per.pdb source: setup.dll.0.dr
                      Source: Binary string: eca.pdb source: WordMUI.msi.0.dr
                      Source: Binary string: _}@actions\x-none\patchca.pdbhca.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: WordMUI.msi.0.dr
                      Source: Binary string: h20.pdb source: WordMUI.msi.0.dr
                      Source: Binary string: P:\Target\x86\ship\msicustomactions\x-none\abortmsica.pdbica.pdb0000000000000000000000 source: WordMUI.msi.0.dr
                      Source: Binary string: P:\Target\x86\ship\setupexe\x-none\setupbootstrapper.pdbper.pdb000Ut source: setup.dll.0.dr
                      Source: Binary string: HfDons\x-none\ocfxca.pdbxca.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: WordMUI.msi.0.dr
                      Source: Binary string: P:\Target\x86\ship\msicustomactions\x-none\diagnoseca.pdb source: WordMUI.msi.0.dr
                      Source: Binary string: P:\Target\x86\ship\setupexe\x-none\setupbootstrapper.pdb source: setup.dll.0.dr
                      Source: Binary string: xds.pdb source: WordMUI.msi.0.dr
                      Source: Binary string: xca.pdb source: WordMUI.msi.0.dr

                      Data Obfuscation

                      barindex
                      Detected unpacking (creates a PE file in dynamic memory)
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeUnpacked PE file: 6.2.HkObDPju6Z.exe.3600000.1.unpack
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeUnpacked PE file: 8.2.HkObDPju6Z.exe.3220000.1.unpack
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 0_3_015D38AB pushad ; iretd 0_3_015D38B1
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 0_3_015D3D23 pushad ; iretd 0_3_015D3D29
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_001FE947 push esi; ret 6_2_001FE948
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_0020A240 CreateWindowExW,LoadLibraryW,GetProcAddress,FreeLibrary,GetWindowLongW,SetWindowLongW,SetWindowPos,SendMessageW,SendMessageW,#410,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetSystemMetrics,CreateWindowExW,SendMessageW,SendMessageW,SHGetFileInfoW,SendMessageW,SendMessageW,SendMessageW,DragAcceptFiles,SendMessageW,SendMessageW,GetSystemMenu,DeleteMenu,DeleteMenu,DeleteMenu,GetMenuItemInfoW,SetMenuItemInfoW,LoadStringW,LoadStringW,LoadStringW,InsertMenuW,InsertMenuW,LoadStringW,LoadStringW,InsertMenuW,InsertMenuW,6_2_0020A240
                      Source: initial sampleStatic PE information: section name: .data entropy: 7.357984406581138

                      Persistence and Installation Behavior

                      barindex
                      Infects executable files (exe, dll, sys, html)
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeSystem file written: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SkypeJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SkypeJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_0020FF10 GetSysColor,EnumWindows,IsWindowEnabled,IsIconic,ShowWindowAsync,IsWindowVisible,SendMessageW,SendMessageW,SendMessageW,SetForegroundWindow,GlobalSize,PathIsRelativeW,GetCurrentDirectoryW,PathAppendW,lstrcpyW,GlobalSize,SendMessageW,GlobalFree,LoadStringW,LoadStringW,LoadStringW,StrChrW,MessageBoxW,6_2_0020FF10
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_002104A0 lstrcpyW,lstrcpyW,EnumWindows,IsWindowEnabled,IsIconic,ShowWindowAsync,SetForegroundWindow,lstrlenW,GlobalAlloc,GlobalLock,lstrcpyW,GlobalUnlock,PostMessageW,StrChrW,MessageBoxW,GetShortPathNameW,StrCatBuffW,StrCpyNW,StrCatBuffW,StrCatBuffW,lstrcpyW,ShellExecuteExW,lstrcpynW,wsprintfW,DdeInitializeW,DdeCreateStringHandleW,DdeCreateStringHandleW,DdeCreateStringHandleW,DdeFreeStringHandle,DdeConnect,lstrlenW,DdeClientTransaction,DdeDisconnect,DdeFreeStringHandle,DdeFreeStringHandle,DdeFreeStringHandle,DdeUninitialize,GetShortPathNameW,StrCatBuffW,StrCpyNW,StrCatBuffW,StrCatBuffW,lstrcpyW,ExpandEnvironmentStringsW,lstrcpynW,ShellExecuteExW,DialogBoxIndirectParamW,LocalFree,6_2_002104A0
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_00210AF0 lstrcpyW,EnumWindows,IsIconic,IsZoomed,SendMessageW,SetForegroundWindow,SetForegroundWindow,BringWindowToTop,SetForegroundWindow,GetSystemMetrics,GetWindowRect,GetWindowRect,GetWindowRect,EqualRect,SystemParametersInfoW,DrawAnimatedRects,SetWindowPos,6_2_00210AF0
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_00208FD0 SetTimer,KillTimer,FindCloseChangeNotification,GetWindowPlacement,DragAcceptFiles,LocalFree,LocalFree,PostQuitMessage,DefWindowProcW,SendMessageW,DefWindowProcW,WaitForSingleObject,FindNextChangeNotification,SendMessageW,SetWindowPos,SetWindowPos,DefWindowProcW,ShowOwnedPopups,ShowOwnedPopups,SystemParametersInfoW,GetWindowRect,DrawAnimatedRects,ShowWindow,SetBkColor,SetTextColor,SendMessageW,SetWindowPos,RedrawWindow,IsIconic,ShowWindow,DragQueryFileW,DragQueryFileW,DragQueryFileW,DragFinish,GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,SetWindowPos,SendMessageW,SendMessageW,SendMessageW,DestroyWindow,DestroyWindow,DestroyWindow,DestroyWindow,GetClientRect,SendMessageW,SendMessageW,UpdateWindow,IsWindowVisible,LoadMenuW,GetSubMenu,SetForegroundWindow,GetCursorPos,SetMenuDefaultItem,TrackPopupMenu,PostMessageW,DestroyMenu,PostMessageW,ShowOwnedPopups,6_2_00208FD0
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exe TID: 7076Thread sleep count: 89 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exe TID: 5956Thread sleep count: 2852 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeWindow / User API: threadDelayed 2852Jump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeAPI coverage: 5.5 %
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_00212503 VirtualQuery,GetSystemInfo,6_2_00212503
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_0025605C FindFirstFileExW,6_2_0025605C
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_0020E3D0 PathCompactPathExW,LoadStringW,LoadStringW,LoadStringW,SendMessageW,GetParent,DoDragDrop,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SHGetDataFromIDListW,FindFirstFileW,FindClose,StrFormatByteSizeW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetDateFormatW,GetTimeFormatW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,wsprintfW,SendMessageW,wsprintfW,lstrcmpW,SendMessageW,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,StrRetToBufW,StrRetToBufW,StrRetToBufW,SHGetFileInfoW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,lstrcmpW,6_2_0020E3D0
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_00256446 FindFirstFileExW,FindNextFileW,FindClose,FindClose,6_2_00256446
                      Source: HkObDPju6Z.exe, 00000008.00000002.477507649.0000000001207000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxtray.exe
                      Source: HkObDPju6Z.exe, 00000008.00000002.477507649.0000000001207000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxservice
                      Source: HkObDPju6Z.exe, 00000006.00000002.463267031.00000000015D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxservicee1
                      Source: HkObDPju6Z.exe, 00000006.00000002.463267031.00000000015D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxtray.exen
                      Source: HkObDPju6Z.exe, 00000006.00000002.463267031.00000000015D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxservice.exe_
                      Source: HkObDPju6Z.exe, 00000008.00000002.477507649.0000000001207000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxservice.exeX-
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_00240E7D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00240E7D
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_0020A240 CreateWindowExW,LoadLibraryW,GetProcAddress,FreeLibrary,GetWindowLongW,SetWindowLongW,SetWindowPos,SendMessageW,SendMessageW,#410,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetSystemMetrics,CreateWindowExW,SendMessageW,SendMessageW,SHGetFileInfoW,SendMessageW,SendMessageW,SendMessageW,DragAcceptFiles,SendMessageW,SendMessageW,GetSystemMenu,DeleteMenu,DeleteMenu,DeleteMenu,GetMenuItemInfoW,SetMenuItemInfoW,LoadStringW,LoadStringW,LoadStringW,InsertMenuW,InsertMenuW,LoadStringW,LoadStringW,InsertMenuW,InsertMenuW,6_2_0020A240
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_0025897F GetProcessHeap,6_2_0025897F
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_0024A542 mov ecx, dword ptr fs:[00000030h]6_2_0024A542
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_00213B49 SetUnhandledExceptionFilter,6_2_00213B49
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_00240E7D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00240E7D
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_00213225 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00213225
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: HkObDPju6Z.exe, 00000000.00000000.355068028.000000000026E000.00000002.00000001.01000000.00000003.sdmp, HkObDPju6Z.exe, 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmp, HkObDPju6Z.exe, 00000006.00000000.395230533.000000000026E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: M uxtheme.dllIsAppThemed - []\]%i %i%CSIDL:MYDOCUMENTS%.lnk"...%1%.2i"%s"Segoe UIMicrosoft JhengHei UIMicrosoft YaHei UIYu Gothic UIMalgun GothicWINDOWSTYLE;WINDOWShell_TrayWndTrayNotifyWndaf-ZA be-BY de-DE el-GR en-GB en-US es-ES es-MX fr-FR hi-IN hu-HU id-ID it-IT ja-JP ko-KR nl-NL pl-PL pt-BR pt-PT ru-RU sk-SK sv-SE tr-TR vi-VN zh-CN zh-TWTaskbarCreatedfdgmnfmfhdfgsndhfdMinPathNotepad3...AutoRefreshRateSysListView32ComboBoxEx32ToolbarWindow32Toolbar Labels%02i(none)msctls_statusbar32ReBarWindow32Toolbar -f0 -n -p %i,%i,%i,%iok\A-RHS%s | %s %s | %s%u-/%i,%i,%i,%iNotepad3.exe
                      Source: HkObDPju6Z.exeBinary or memory string: Shell_TrayWnd
                      Source: HkObDPju6Z.exeBinary or memory string: MAuxtheme.dllIsAppThemed - []\]%i %i%CSIDL:MYDOCUMENTS%.lnk"...%1%.2i"%s"Segoe UIMicrosoft JhengHei UIMicrosoft YaHei UIYu Gothic UIMalgun GothicWINDOWSTYLE;WINDOWShell_TrayWndTrayNotifyWndaf-ZA be-BY de-DE el-GR en-GB en-US es-ES es-MX fr-FR hi-IN hu-HU id-ID it-IT ja-JP ko-KR nl-NL pl-PL pt-BR pt-PT ru-RU sk-SK sv-SE tr-TR vi-VN zh-CN zh-TWTaskbarCreatedfdgmnfmfhdfgsndhfdMinPathNotepad3...AutoRefreshRateSysListView32ComboBoxEx32ToolbarWindow32Toolbar Labels%02i(none)msctls_statusbar32ReBarWindow32Toolbar -f0 -n -p %i,%i,%i,%iok\A-RHS%s | %s %s | %s%u-/%i,%i,%i,%iNotepad3.exe
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,6_2_0025C076
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: EnumSystemLocalesW,6_2_0025C318
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: EnumSystemLocalesW,6_2_0025C381
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: EnumSystemLocalesW,6_2_0025C41C
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: ResolveLocaleName,GetLocaleInfoEx,6_2_00208460
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,6_2_0025C4A7
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: GetUserPreferredUILanguages,GetUserPreferredUILanguages,LocalAlloc,GetUserPreferredUILanguages,LocalFree,GetLocaleInfoEx,6_2_002084F0
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: GetLocaleInfoEx,SendMessageW,lstrlenW,ResetEvent,lstrlenW,CharPrevW,lstrlenW,CharPrevW,lstrlenW,6_2_002066E0
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: GetLocaleInfoW,6_2_0025C6FA
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,6_2_0025C823
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: GetLocaleInfoW,6_2_0025C929
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,6_2_0025C9F8
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: EnumSystemLocalesW,6_2_00252B14
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: EnumSystemLocalesW,6_2_00252C73
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: EnumSystemLocalesW,6_2_00252CA5
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: GetLocaleInfoW,6_2_00210EC9
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: LCIDToLocaleName,GetLocaleInfoEx,6_2_0021114B
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_00208650 GetVersion,SetErrorMode,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,OleInitialize,InitCommonControlsEx,RegisterWindowMessageW,CreateSolidBrush,CreateSolidBrush,CreateSolidBrush,6_2_00208650

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts2
                      Command and Scripting Interpreter                      		1
                      Registry Run Keys / Startup Folder                      		12
                      Process Injection                      		3
                      Masquerading                      		OS Credential Dumping21
                      Security Software Discovery                      		1
                      Taint Shared Content                      		1
                      Archive Collected Data                      		Exfiltration Over Other Network Medium1
                      Encrypted Channel                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
                      Data Encrypted for Impact
                      Default Accounts1
                      Native API                      		1
                      DLL Side-Loading                      		1
                      Registry Run Keys / Startup Folder                      		1
                      Virtualization/Sandbox Evasion                      		LSASS Memory1
                      Virtualization/Sandbox Evasion                      		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
                      Proxy                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)1
                      DLL Side-Loading                      		12
                      Process Injection                      		Security Account Manager1
                      Process Discovery                      		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                      Deobfuscate/Decode Files or Information                      		NTDS11
                      Application Window Discovery                      		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script3
                      Obfuscated Files or Information                      		LSA Secrets1
                      File and Directory Discovery                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common11
                      Software Packing                      		Cached Domain Credentials24
                      System Information Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                      DLL Side-Loading                      		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                      File Deletion                      		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 886219 Sample: HkObDPju6Z.exe Startdate: 12/06/2023 Architecture: WINDOWS Score: 100 42 Antivirus / Scanner detection for submitted sample 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Found ransom note / readme 2->46 48 4 other signatures 2->48 7 HkObDPju6Z.exe 2 304 2->7         started        11 HkObDPju6Z.exe 2 2->11         started        13 HkObDPju6Z.exe 2 2->13         started        process3 file4 34 C:\Program Files (x86)\...\Uninstall.exe, COM 7->34 dropped 36 C:\Program Files\...\instructions_read_me.txt, ASCII 7->36 dropped 38 C:\Program Files\...\instructions_read_me.txt, ASCII 7->38 dropped 40 50 other files (47 malicious) 7->40 dropped 50 Detected unpacking (creates a PE file in dynamic memory) 7->50 52 Writes a notice file (html or txt) to demand a ransom 7->52 54 Writes many files with high entropy 7->54 56 Infects executable files (exe, dll, sys, html) 7->56 15 cmd.exe 1 7->15         started        18 cmd.exe 1 11->18         started        20 cmd.exe 1 13->20         started        signatures5 process6 signatures7 58 May disable shadow drive data (uses vssadmin) 15->58 60 Deletes shadow drive data (may be related to ransomware) 15->60 22 conhost.exe 15->22         started        24 vssadmin.exe 1 15->24         started        26 conhost.exe 18->26         started        28 vssadmin.exe 1 18->28         started        30 conhost.exe 20->30         started        32 vssadmin.exe 1 20->32         started        process8

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      HkObDPju6Z.exe59%ReversingLabsWin32.Ransomware.Basta
                      HkObDPju6Z.exe64%VirustotalBrowse
                      HkObDPju6Z.exe100%AviraTR/AD.PrestigeRansom.byoon
                      HkObDPju6Z.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://www.flos-freeware.chopenmailto:florian.balmer0%Avira URL Cloudsafe
                      https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/0%VirustotalBrowse
                      https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/0%Avira URL Cloudsafe
                      http://office.micro0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://www.rizonesoft.comHkObDPju6Z.exefalse
                        		high
                        https://www.torproject.org/HkObDPju6Z.exe, 00000000.00000003.371931160.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000006.00000002.463365199.0000000003600000.00000040.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000008.00000002.477620370.0000000003220000.00000040.00001000.00020000.00000000.sdmp, instructions_read_me.txt59.0.dr, instructions_read_me.txt56.0.dr, instructions_read_me.txt74.0.dr, instructions_read_me.txt71.0.dr, instructions_read_me.txt65.0.dr, instructions_read_me.txt2.0.drfalse
                          		high
                          http://office.microPptLR.cab.0.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/HkObDPju6Z.exe, 00000000.00000003.371931160.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000006.00000002.463365199.0000000003600000.00000040.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000006.00000002.463304811.0000000003440000.00000004.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000008.00000002.477620370.0000000003220000.00000040.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000008.00000002.477563045.00000000030C0000.00000004.00001000.00020000.00000000.sdmp, instructions_read_me.txt59.0.dr, instructions_read_me.txt56.0.dr, instructions_read_me.txt74.0.dr, instructions_read_me.txt71.0.dr, instructions_read_me.txt65.0.dr, instructions_read_me.txt2.0.drtrue
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.flos-freeware.chopenmailto:florian.balmerHkObDPju6Z.exefalse
                          • Avira URL Cloud: safe
                          		low
                          https://www.flos-freeware.chHkObDPju6Z.exefalse
                            		high

                            World Map of Contacted IPs

                            No contacted IP infos

                            General Information

                            Joe Sandbox Version:37.1.0 Beryl
                            Analysis ID:886219
                            Start date and time:2023-06-12 21:16:06 +02:00
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 13m 47s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:18
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample file name:HkObDPju6Z.exe
                            Original Sample Name:723d1cf3d74fb3ce95a77ed9dff257a78c8af8e67a82963230dd073781074224.exe
                            Detection:MAL
                            Classification:mal100.rans.spre.evad.winEXE@18/400@0/0
                            EGA Information:
                            • Successful, ratio: 50%
                            HDC Information:Failed
                            HCA Information:
                            • Successful, ratio: 71%
                            • Number of executed functions: 12
                            • Number of non-executed functions: 162
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Override analysis time to 240s for sample files taking high CPU consumption

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, VSSVC.exe, svchost.exe
                            • Execution Graph export aborted for target HkObDPju6Z.exe, PID 6028 because there are no executed function
                            • Not all processes where analyzed, report is missing behavior information
                            • Report creation exceeded maximum time and may have missing disassembly code information.
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtCreateFile calls found.
                            • Report size getting too big, too many NtOpenFile calls found.
                            • Report size getting too big, too many NtSetInformationFile calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            21:17:08AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Skype C:\Users\user\Desktop\HkObDPju6Z.exe
                            21:17:17AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Skype C:\Users\user\Desktop\HkObDPju6Z.exe

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            No context

                            ASNs

                            No context

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\MSOCache\All Users\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:24:F6SGOzWKJa3XWOCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW6CwRNsxV0jVOK5
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:modified
                            Size (bytes):30592502
                            Entropy (8bit):7.999941422906834
                            Encrypted:true
                            SSDEEP:786432:8rEtPAhzlsR3KvYQJnbJ+9UwbXgWDRNIWhkXLOC:YEGhzw8PJI1TPIuuLOC
                            MD5:98DC2C73FEE92897B8A36947C711DF7F
                            SHA1:6B74915B1B5125E683AE0908163927214176AC77
                            SHA-256:43158309F90C1420F08DF067C89459B43A1CC4CB4BC4791DEFAE46104B58CD75
                            SHA-512:8F2704707219AF6783771250DD7E3543C7BDCC45AF09C1DBA9866D3E59257E5C481D6CF09BC6A1E971001CF19542003DF1AF36E929D81CAB1F8DAFD8722A7993
                            Malicious:true
                            Preview:..kl.X...+1I!9<...G...4.p@..d..P+..x.S..$...2+...).0.....ybw+i.......n..............FM. .ActionsPane3.xsd_x86.3643236F_FC70_11D3_A536_0090278A1BB8.41B86362_9D8B_4D9B_B426_8A6D1F809A25..(....(*..W.X..)QPc..0..L.[...M.....5tw.'....P.Y........o.C...vB._B824_C9816882FA56..&..').....F.R .api_ms_win_core_datetime_l1_1_0.dll.A38EBF59_3A35_3759_B824_C9816882FA56..&...O.....F.R .api_..w].6Nbe..E\^..+..".....B@.S...m..'....k....ul...v...3.....6.6..&..gv.....F.R .api_ms_win_core_errorhandling_l1_1_0.dll.A38EBF59_3A35_3759_B824_C9816882FA56..4.........F.R .api_ms_win_core_..DO.4 ^;..fEUP......U...B..[.S..itY.J..........h...)....w:.7Aw.F.R .api_ms_win_core_file_l1_2_0.dll.A38EBF59_3A35_3759_B824_C9816882FA56..&..G......F.R .api_ms_win_core_file_l2_1_0.dll.A38EBF..w..k$^9..q~{......"...C.o[.`?.P+..y.S.2r.g..K^...Z.G.l...E$(Candle_l1_1_0.dll.A38EBF59_3A35_3759_B824_C9816882FA56..(...E.....F.R .api_ms_win_core_heap_l1_1_0.dll.A38EBF59_3A35_3759_B824_C9.....jW@?....9<...G....QBO..?...\r.'.<

                            C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):30592502
                            Entropy (8bit):7.999941422906834
                            Encrypted:true
                            SSDEEP:786432:8rEtPAhzlsR3KvYQJnbJ+9UwbXgWDRNIWhkXLOC:YEGhzw8PJI1TPIuuLOC
                            MD5:98DC2C73FEE92897B8A36947C711DF7F
                            SHA1:6B74915B1B5125E683AE0908163927214176AC77
                            SHA-256:43158309F90C1420F08DF067C89459B43A1CC4CB4BC4791DEFAE46104B58CD75
                            SHA-512:8F2704707219AF6783771250DD7E3543C7BDCC45AF09C1DBA9866D3E59257E5C481D6CF09BC6A1E971001CF19542003DF1AF36E929D81CAB1F8DAFD8722A7993
                            Malicious:true
                            Preview:..kl.X...+1I!9<...G...4.p@..d..P+..x.S..$...2+...).0.....ybw+i.......n..............FM. .ActionsPane3.xsd_x86.3643236F_FC70_11D3_A536_0090278A1BB8.41B86362_9D8B_4D9B_B426_8A6D1F809A25..(....(*..W.X..)QPc..0..L.[...M.....5tw.'....P.Y........o.C...vB._B824_C9816882FA56..&..').....F.R .api_ms_win_core_datetime_l1_1_0.dll.A38EBF59_3A35_3759_B824_C9816882FA56..&...O.....F.R .api_..w].6Nbe..E\^..+..".....B@.S...m..'....k....ul...v...3.....6.6..&..gv.....F.R .api_ms_win_core_errorhandling_l1_1_0.dll.A38EBF59_3A35_3759_B824_C9816882FA56..4.........F.R .api_ms_win_core_..DO.4 ^;..fEUP......U...B..[.S..itY.J..........h...)....w:.7Aw.F.R .api_ms_win_core_file_l1_2_0.dll.A38EBF59_3A35_3759_B824_C9816882FA56..&..G......F.R .api_ms_win_core_file_l2_1_0.dll.A38EBF..w..k$^9..q~{......"...C.o[.`?.P+..y.S.2r.g..K^...Z.G.l...E$(Candle_l1_1_0.dll.A38EBF59_3A35_3759_B824_C9816882FA56..(...E.....F.R .api_ms_win_core_heap_l1_1_0.dll.A38EBF59_3A35_3759_B824_C9.....jW@?....9<...G....QBO..?...\r.'.<

                            C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):3944762
                            Entropy (8bit):7.113572129312687
                            Encrypted:false
                            SSDEEP:49152:sokGeClV9xd/lQwkqMgv1ivQ1J0XcEF1Q+OKKx8mG0C9RDHDtQAZUgyI2jN5XwBD:MWrP/lTNv1TvEF16KKKQC9RxT283uW
                            MD5:D4BDA25196DF2CD081A302FAEA33ECAE
                            SHA1:F6D9FADAFC4FD2B8FAC090F5F09720F9F65E6C94
                            SHA-256:FE6965946DC8311E3431DAAEF58CF7D5325991D6C5998C2BB6FEC01CDA247208
                            SHA-512:733452957530D9B6DC45B3BF045E978FF191A1268283071803F3D292B962A7A43E0DE8B5F285DDAB62EB4DD5DDB1F700CD6ECC626761C448F91F9F9FEEA5ACB6
                            Malicious:false
                            Preview:q.).~......8q:...P|.f.......w....,X+..3l..~+.....-.+#.Fd..;5................................................................................................................................^....0..9.BC..[s.r..,<_'....#E.r...X......(..W....{..Jk..................................................................................................................................^....0..9.BC..[s.r..,<_'....#E.r...X......(..W....{..Jk....................................................................................................................................872..%....8q:...P|.f.....lq.w....,X+..3l..~+.....-.+#.Fd..;5..................................................................................................................................872..%....8q:...P|.f.....lq.w....,X+..3l..~+.....-.+#.Fd..;5..................................................................................................................................872..%....8q:...P|.f.....lq.w....,X+

                            C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):3944762
                            Entropy (8bit):7.113572129312687
                            Encrypted:false
                            SSDEEP:49152:sokGeClV9xd/lQwkqMgv1ivQ1J0XcEF1Q+OKKx8mG0C9RDHDtQAZUgyI2jN5XwBD:MWrP/lTNv1TvEF16KKKQC9RxT283uW
                            MD5:D4BDA25196DF2CD081A302FAEA33ECAE
                            SHA1:F6D9FADAFC4FD2B8FAC090F5F09720F9F65E6C94
                            SHA-256:FE6965946DC8311E3431DAAEF58CF7D5325991D6C5998C2BB6FEC01CDA247208
                            SHA-512:733452957530D9B6DC45B3BF045E978FF191A1268283071803F3D292B962A7A43E0DE8B5F285DDAB62EB4DD5DDB1F700CD6ECC626761C448F91F9F9FEEA5ACB6
                            Malicious:false
                            Preview:q.).~......8q:...P|.f.......w....,X+..3l..~+.....-.+#.Fd..;5................................................................................................................................^....0..9.BC..[s.r..,<_'....#E.r...X......(..W....{..Jk..................................................................................................................................^....0..9.BC..[s.r..,<_'....#E.r...X......(..W....{..Jk....................................................................................................................................872..%....8q:...P|.f.....lq.w....,X+..3l..~+.....-.+#.Fd..;5..................................................................................................................................872..%....8q:...P|.f.....lq.w....,X+..3l..~+.....-.+#.Fd..;5..................................................................................................................................872..%....8q:...P|.f.....lq.w....,X+

                            C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):5306
                            Entropy (8bit):7.886160779314717
                            Encrypted:false
                            SSDEEP:96:P20Ylpy3PUURzGjOfnBWXKNvzMOy58H57Xw6k3KziFcXlNzAwB/HswQYezeNnlTk:PUpy3PL3ZWXc7K6A6k3KQQzJ/H9ugnlI
                            MD5:DBBFDEC29EC5467FA8FCCEFFA11D6D37
                            SHA1:947910199E6A7B31247A1A553AB6122203C5D983
                            SHA-256:22FC6739D05242E05A016B436F03702365824F3FFF382969D27B7087DFA97ED0
                            SHA-512:88EF11858753D66497C73B094BCD31898CA4CC33E0BB74639489F07683CC33F6ABCF627652AB339D60E0D6A88DE02045454A8F2134FCAFD99BF68C506688EC45
                            Malicious:false
                            Preview:.[.db.M.3..x<(....mqOJ;.C.....s..Mv..}M..&..-..U.1.C.E.e.wt..].|<.j....=|6n...."XyC9.~.....f...(J.C.E.s...F..0....C.Q.f.=Z....px.t.....pE%.....s.q$.e....M...f]..^G.@..&..c....u...f.;H.&.<g.|..$..WlY...*SiA2.f.....,(..QD%.V\..X...%..l..3...@.l.k...<.eL.W....x*G...)vIz.......Q....U..;Q.y...1..F....~.I.........j}.H..w.*#LC....<B.ad.x....|...3]...q.e.....a....z.g.E..Z....e;.Y.w.]!0s....(QOj.......k)..."N..Qt.6.....e.. ...|.E.a...-.)^.O..b..phi.....:lz........{..^g..W!O.o...*..e..........l...V.$>....q.X&,:....}$goe.o....(C... @.JS..%..[.....G...x.Z.)]....n{.\..b.J6Qf....?y..,.......y...=F..%O.e....."....C.a...V7....}{.^..$.JFse.....{Ok;.^....W!..,&\.JS..8...K.....K._.A.[.9X....+^.T.#...mo...@.(.{.O..._...S.J...O.+...K..c../.C.L.A.9L..P.)M.H..b.J(......=`HF:.O....CP...%w..4Y......."..z.&...P.(K.Z....}.4..s!C....>{bF9.E....]...%J.AE_......=..C.......Q4..X.yz.T.%.H_e7...)aB]..F...l...@.J...O.5..U..a......L....Q...Og.^..t.HUny...u"..e.......h)... @.%

                            C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):5306
                            Entropy (8bit):7.886160779314717
                            Encrypted:false
                            SSDEEP:96:P20Ylpy3PUURzGjOfnBWXKNvzMOy58H57Xw6k3KziFcXlNzAwB/HswQYezeNnlTk:PUpy3PL3ZWXc7K6A6k3KQQzJ/H9ugnlI
                            MD5:DBBFDEC29EC5467FA8FCCEFFA11D6D37
                            SHA1:947910199E6A7B31247A1A553AB6122203C5D983
                            SHA-256:22FC6739D05242E05A016B436F03702365824F3FFF382969D27B7087DFA97ED0
                            SHA-512:88EF11858753D66497C73B094BCD31898CA4CC33E0BB74639489F07683CC33F6ABCF627652AB339D60E0D6A88DE02045454A8F2134FCAFD99BF68C506688EC45
                            Malicious:false
                            Preview:.[.db.M.3..x<(....mqOJ;.C.....s..Mv..}M..&..-..U.1.C.E.e.wt..].|<.j....=|6n...."XyC9.~.....f...(J.C.E.s...F..0....C.Q.f.=Z....px.t.....pE%.....s.q$.e....M...f]..^G.@..&..c....u...f.;H.&.<g.|..$..WlY...*SiA2.f.....,(..QD%.V\..X...%..l..3...@.l.k...<.eL.W....x*G...)vIz.......Q....U..;Q.y...1..F....~.I.........j}.H..w.*#LC....<B.ad.x....|...3]...q.e.....a....z.g.E..Z....e;.Y.w.]!0s....(QOj.......k)..."N..Qt.6.....e.. ...|.E.a...-.)^.O..b..phi.....:lz........{..^g..W!O.o...*..e..........l...V.$>....q.X&,:....}$goe.o....(C... @.JS..%..[.....G...x.Z.)]....n{.\..b.J6Qf....?y..,.......y...=F..%O.e....."....C.a...V7....}{.^..$.JFse.....{Ok;.^....W!..,&\.JS..8...K.....K._.A.[.9X....+^.T.#...mo...@.(.{.O..._...S.J...O.+...K..c../.C.L.A.9L..P.)M.H..b.J(......=`HF:.O....CP...%w..4Y......."..z.&...P.(K.Z....}.4..s!C....>{bF9.E....]...%J.AE_......=..C.......Q4..X.yz.T.%.H_e7...)aB]..F...l...@.J...O.5..U..a......L....Q...Og.^..t.HUny...u"..e.......h)... @.%

                            C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1274770
                            Entropy (8bit):7.512951123194743
                            Encrypted:false
                            SSDEEP:24576:f2TJLcxCqNlyS3hrFfSLtgS/EP3mRa3CuGgSSKVx5RD+CCnVqmiHvPCrvIucch2B:fScgZuqTVHtmKRIaHpgAKwtt3kEgZKie
                            MD5:F728CF82E2FB15902C1E2247A1840F69
                            SHA1:65AE9C720A05D4C32DE56DA80B28CAFB3F10588A
                            SHA-256:4C425A1447D49A5787CA4904ACC637E437755686F3F7E3DFDD060BDF9F5D4B8A
                            SHA-512:FCBE6BE131E2FCE3A989731B3A7A2DF4842B6CC083D52EFCD1E7EAAACE9F74FAAACF9795727318A09AD13C804A99FA096C1E2DBB2F567BE2A83FAC3AA8F57F10
                            Malicious:false
                            Preview:Z....`..'.)..\...........c._.......q...S).Y..|.;v.......y...8........!..L.!This program cannot be run in DOS mode....$........m)A..G...G...G..^....G..t....G...F.>.G..t....G..t....G..t....G.....l..w......:.M.u......M.........S).Y..|.;v.......y...8PE..L....$.O...........!.....h..........Pc..........................CS P.................f....@.........................XX..]..._.C..`..#.:.............;._@....q..__.Y..|.;v.......y...8............@............................................text....f.......h.................. ..`.data................l............S..`.7..Z.]...\........g._.......q...S).Y.|.............8.h..................@..H..........................................................................................................S..`..#.).>............c._.......q...S).Y..|.;v.......y...8..................................................................................................................................S..`..#.).>............c._.......q...

                            C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1274770
                            Entropy (8bit):7.512951123194743
                            Encrypted:false
                            SSDEEP:24576:f2TJLcxCqNlyS3hrFfSLtgS/EP3mRa3CuGgSSKVx5RD+CCnVqmiHvPCrvIucch2B:fScgZuqTVHtmKRIaHpgAKwtt3kEgZKie
                            MD5:F728CF82E2FB15902C1E2247A1840F69
                            SHA1:65AE9C720A05D4C32DE56DA80B28CAFB3F10588A
                            SHA-256:4C425A1447D49A5787CA4904ACC637E437755686F3F7E3DFDD060BDF9F5D4B8A
                            SHA-512:FCBE6BE131E2FCE3A989731B3A7A2DF4842B6CC083D52EFCD1E7EAAACE9F74FAAACF9795727318A09AD13C804A99FA096C1E2DBB2F567BE2A83FAC3AA8F57F10
                            Malicious:false
                            Preview:Z....`..'.)..\...........c._.......q...S).Y..|.;v.......y...8........!..L.!This program cannot be run in DOS mode....$........m)A..G...G...G..^....G..t....G...F.>.G..t....G..t....G..t....G.....l..w......:.M.u......M.........S).Y..|.;v.......y...8PE..L....$.O...........!.....h..........Pc..........................CS P.................f....@.........................XX..]..._.C..`..#.:.............;._@....q..__.Y..|.;v.......y...8............@............................................text....f.......h.................. ..`.data................l............S..`.7..Z.]...\........g._.......q...S).Y.|.............8.h..................@..H..........................................................................................................S..`..#.).>............c._.......q...S).Y..|.;v.......y...8..................................................................................................................................S..`..#.).>............c._.......q...

                            C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):28983610
                            Entropy (8bit):6.311677848898019
                            Encrypted:false
                            SSDEEP:393216:+vfwbsMbPzX1sgMai8VDwxTvali5aK+nkF:qfwYAXx9nGxTvalAaFkF
                            MD5:D94E3C74A0DC8DD4C1F191EDCC02961C
                            SHA1:269F434281A7079C9C7CFB2672933E22402B81EA
                            SHA-256:A3C4B2CE075243E49CAD0BD4717BEADF387FA8F6F79606081D16DE7742AF00E7
                            SHA-512:A22700B1236C801EE7E57353B9685594CB01D3D54621ACE8AB7266B3D578D3FDDABD3FF09480F83511CBDDC170E58EE5FB1D2384C43E7E20C3C3C359035B3509
                            Malicious:false
                            Preview:.z \.b...4(.,..<.Z."Z.....}...3.6PCj....*.-..j...............................................................................................................................................?....p9..\.r..U...6.P.He|.q..3.....7L..4h.]..C.$.\.v.:..V.$..................................................................................................................................?....p9..\.r..U...6.P.He|.q..3.....7L..4h.]..C.$.\.v.:..V.$................................................................................................................................7ck..\xS..4(.,..<.Z."Z........5.6PCj....*.-..j.............................................................................................................................................7ck..\xS..4(.,..<.Z."Z........5.6PCj....*.-..j.............................................................................................................................................7ck..\xS..4(.,..<.Z."Z........5.6PCj..

                            C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):28983610
                            Entropy (8bit):6.311677848898019
                            Encrypted:false
                            SSDEEP:393216:+vfwbsMbPzX1sgMai8VDwxTvali5aK+nkF:qfwYAXx9nGxTvalAaFkF
                            MD5:D94E3C74A0DC8DD4C1F191EDCC02961C
                            SHA1:269F434281A7079C9C7CFB2672933E22402B81EA
                            SHA-256:A3C4B2CE075243E49CAD0BD4717BEADF387FA8F6F79606081D16DE7742AF00E7
                            SHA-512:A22700B1236C801EE7E57353B9685594CB01D3D54621ACE8AB7266B3D578D3FDDABD3FF09480F83511CBDDC170E58EE5FB1D2384C43E7E20C3C3C359035B3509
                            Malicious:false
                            Preview:.z \.b...4(.,..<.Z."Z.....}...3.6PCj....*.-..j...............................................................................................................................................?....p9..\.r..U...6.P.He|.q..3.....7L..4h.]..C.$.\.v.:..V.$..................................................................................................................................?....p9..\.r..U...6.P.He|.q..3.....7L..4h.]..C.$.\.v.:..V.$................................................................................................................................7ck..\xS..4(.,..<.Z."Z........5.6PCj....*.-..j.............................................................................................................................................7ck..\xS..4(.,..<.Z."Z........5.6PCj....*.-..j.............................................................................................................................................7ck..\xS..4(.,..<.Z."Z........5.6PCj..

                            C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):17422
                            Entropy (8bit):6.785529037683763
                            Encrypted:false
                            SSDEEP:384:cgeiFfFhG92uf/YdGNQXvvrAhof6fG95yc+H:FeIfG2uf2GCfEBfG95yc+H
                            MD5:D193A7719787D6FB03003BC8D1FBBBF5
                            SHA1:7FAE49BA6131DE5F500B5E840811FCD8AC60C817
                            SHA-256:116E6DE38A370951C8AC208DACE2292B4C71F3A632F55F5DB16E9E9E89CC700E
                            SHA-512:2EDD60F758AD8234F12A3CC7A6A34F932B5E9E9381F2A2B481C35190F719B6677247124025C23CA4D81D545A1F0B9709741665C4DC2EF68713179F9700284700
                            Malicious:false
                            Preview:...Z}..*W..d?=..'...n.{.`.9\...8.t.<..tvn._..@8.F.I.{.....g.%nDjOQbzgDObLJSNTgntLRjr76QOQWKY42r25vol1N8yE5Nz8bDippwsY/y1v1IWxVYAYqSZMbKKNf3B5VGnLzSufEMU00Bk/aTVAfSv5od9+Yn83yNcCrkdyt73vvlgr..f!./.WU.ocDS.p..@!O..G.i8_...8.h...Tez..I...-..$.ZI`.....*fYt6JR53OQnP0ZZS5mH6zfKCr0gE7OnQnMmwSVcr7DXoNV03nuWbcy6jVwEbMKppAIWkjmNmEwZw6gqnjtQws1r6b58dfEeWiHuuWv1f0yP+kAMGBruBCZdNFWxNEgZuw..o:..;`..?.Hk.e..lCa..~.sL...E.5.c..h.'."..E..f.\....8...AI" Path="ProPlusWW.MSI" Version="1.0" ProductCode="{90160000-0011-0000-0000-0000000FF1CE}" MSIVersion="16.0.4266.1001" ProductLaC.Vv.Bm.\.[=aW.f..). ..).1.Z...t.?.l..)90.o...7'.p.gkc..W...wature Id="RhdInspector" Cost="63776">....<OptionRef Id="ProductFiles"/>...</Feature>...<Feature Id="MsoInstalledPackagesScoped" n.C,.Om.s..X<l.}.OY.~..m.| W..f.8.v..$2'./...H.S.jJ_...P.<.Teature Id="VSTOCLR35" Cost="4906912">....<OptionRef Id="VSTOCLR35"/>...</Feature>...<Feature Id="VBAFiles" Cost="11486152">....<b.^~.-*C^.ol"u.H.Mn.:....W]...a.$.<..

                            C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):17422
                            Entropy (8bit):6.785529037683763
                            Encrypted:false
                            SSDEEP:384:cgeiFfFhG92uf/YdGNQXvvrAhof6fG95yc+H:FeIfG2uf2GCfEBfG95yc+H
                            MD5:D193A7719787D6FB03003BC8D1FBBBF5
                            SHA1:7FAE49BA6131DE5F500B5E840811FCD8AC60C817
                            SHA-256:116E6DE38A370951C8AC208DACE2292B4C71F3A632F55F5DB16E9E9E89CC700E
                            SHA-512:2EDD60F758AD8234F12A3CC7A6A34F932B5E9E9381F2A2B481C35190F719B6677247124025C23CA4D81D545A1F0B9709741665C4DC2EF68713179F9700284700
                            Malicious:false
                            Preview:...Z}..*W..d?=..'...n.{.`.9\...8.t.<..tvn._..@8.F.I.{.....g.%nDjOQbzgDObLJSNTgntLRjr76QOQWKY42r25vol1N8yE5Nz8bDippwsY/y1v1IWxVYAYqSZMbKKNf3B5VGnLzSufEMU00Bk/aTVAfSv5od9+Yn83yNcCrkdyt73vvlgr..f!./.WU.ocDS.p..@!O..G.i8_...8.h...Tez..I...-..$.ZI`.....*fYt6JR53OQnP0ZZS5mH6zfKCr0gE7OnQnMmwSVcr7DXoNV03nuWbcy6jVwEbMKppAIWkjmNmEwZw6gqnjtQws1r6b58dfEeWiHuuWv1f0yP+kAMGBruBCZdNFWxNEgZuw..o:..;`..?.Hk.e..lCa..~.sL...E.5.c..h.'."..E..f.\....8...AI" Path="ProPlusWW.MSI" Version="1.0" ProductCode="{90160000-0011-0000-0000-0000000FF1CE}" MSIVersion="16.0.4266.1001" ProductLaC.Vv.Bm.\.[=aW.f..). ..).1.Z...t.?.l..)90.o...7'.p.gkc..W...wature Id="RhdInspector" Cost="63776">....<OptionRef Id="ProductFiles"/>...</Feature>...<Feature Id="MsoInstalledPackagesScoped" n.C,.Om.s..X<l.}.OY.~..m.| W..f.8.v..$2'./...H.S.jJ_...P.<.Teature Id="VSTOCLR35" Cost="4906912">....<OptionRef Id="VSTOCLR35"/>...</Feature>...<Feature Id="VBAFiles" Cost="11486152">....<b.^~.-*C^.ol"u.H.Mn.:....W]...a.$.<..

                            C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):323579288
                            Entropy (8bit):7.99992937711017
                            Encrypted:true
                            SSDEEP:6291456:IvTS8/jU9LWir8NG/du4HQLeL7u0IR0KY26cMashYFRX4Mbip4IsW7:IzSLD4cHkRM2PMDhYFRXT7nW7
                            MD5:FA26DFA649511F61A0426256FBB10732
                            SHA1:D6FE84C280C4A9660EC97B2EE70D13107353BF0E
                            SHA-256:A9F6E84B367D35F2DCCEB30C3CD059C154890A873961065FF9E96735BB59F2E3
                            SHA-512:CF3F6819A94C2AED7FF42087A08FCEC03CF0E73727AEB5460F6045F6FDEA86463F3ED5AB37717EE01908D8266789A101AAC28A94D702E0F8F001D26ED1E54FD7
                            Malicious:true
                            Preview:.V.......k..e.MJ...y...k.2.........=.:G`D....&D....O+R.:...:....L...l..................(..............Z...............P.......:...................a...t.'.....l.r.....>...&.....,.6....#3......V..RM..8tM...l...l.3..H......(!{t@.D..g.h2q.....T$S.9....5.....~G.......a.y.....I.......I.......I.....J.I................F.O .ACACEDAO.DLL............F.. .ACC12PL.DLL............F.. .ACC.1...W.P..e.GM.......K.r[...9Z..=5.&GPu.....s...J..n....3..L....%....F.. .ACCESSCOMPARE.RDLC.x86.....f.'....F.. .ACCESSPL.CFG.......'....F.O .ACECORE.DLL............F.O .ACEDAO.DLL..........kU.S.D. ..d..yo^.ki.....'Q...=....8..=.5.....C+S...l..:ACEODBC.DLL..C.........F.O .ACEODEXL.DLL......=.....F.O .ACEOLEDB.DLL..~...6.....F.O .ACETXT.DLL...........F.O .ACEWDAT.DLL.....}......Q..e......W...k..D......M{..G!..I..V...H..+R.!...3:...F.. .ACWZLIB.ACCDE.._..`......F.. .AD.DPV.....i......F.. .AD.XML.....s......F.O .ADAL.DLL............F.. .ADAO12PL.CFG.......D...jU"..D.$.|x.=....2...{.....<..:.

                            C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):323579288
                            Entropy (8bit):7.99992937711017
                            Encrypted:true
                            SSDEEP:
                            MD5:FA26DFA649511F61A0426256FBB10732
                            SHA1:D6FE84C280C4A9660EC97B2EE70D13107353BF0E
                            SHA-256:A9F6E84B367D35F2DCCEB30C3CD059C154890A873961065FF9E96735BB59F2E3
                            SHA-512:CF3F6819A94C2AED7FF42087A08FCEC03CF0E73727AEB5460F6045F6FDEA86463F3ED5AB37717EE01908D8266789A101AAC28A94D702E0F8F001D26ED1E54FD7
                            Malicious:true
                            Preview:.V.......k..e.MJ...y...k.2.........=.:G`D....&D....O+R.:...:....L...l..................(..............Z...............P.......:...................a...t.'.....l.r.....>...&.....,.6....#3......V..RM..8tM...l...l.3..H......(!{t@.D..g.h2q.....T$S.9....5.....~G.......a.y.....I.......I.......I.....J.I................F.O .ACACEDAO.DLL............F.. .ACC12PL.DLL............F.. .ACC.1...W.P..e.GM.......K.r[...9Z..=5.&GPu.....s...J..n....3..L....%....F.. .ACCESSCOMPARE.RDLC.x86.....f.'....F.. .ACCESSPL.CFG.......'....F.O .ACECORE.DLL............F.O .ACEDAO.DLL..........kU.S.D. ..d..yo^.ki.....'Q...=....8..=.5.....C+S...l..:ACEODBC.DLL..C.........F.O .ACEODEXL.DLL......=.....F.O .ACEOLEDB.DLL..~...6.....F.O .ACETXT.DLL...........F.O .ACEWDAT.DLL.....}......Q..e......W...k..D......M{..G!..I..V...H..+R.!...3:...F.. .ACWZLIB.ACCDE.._..`......F.. .AD.DPV.....i......F.. .AD.XML.....s......F.O .ADAL.DLL............F.. .ADAO12PL.CFG.......D...jU"..D.$.|x.=....2...{.....<..:.

                            C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):249155585
                            Entropy (8bit):7.999931605163267
                            Encrypted:true
                            SSDEEP:
                            MD5:9E09A048941F51DAF21DB78B77A028B3
                            SHA1:BEEFD213E782788AC7048F38B43FAF945D397952
                            SHA-256:6248E5AF7CE2C8420E4144A6304B762B65F8B4D85C9A98B837921EEDEC764E07
                            SHA-512:6C9562BC18679CE151D4A6A1EA71F4D6CC5D9D23EAEA850B545764D18D76EF0FE3F9B608B847D27613DFB3F7619813CF42F6645D9D5EF864B52189282C444962
                            Malicious:true
                            Preview:....o....|....4....,...`........<2.PX...g3w..c...@..:b..| h.........+..........1..@...........E..........g...;...^...#.......!M].....k.$.....e.A.....q..............k.........5.......[.._.r..:..5.g...../...a....7.>..iq.aj....x]...C..:b...I.ACC14PL.CFG............F.. .ACCESSPL.DLL..49..5.....F.O .ACCICONS.EXE.....Hj9....F.O .ACCOLK.DLL..-....;....F.. .ACCSBAR.POC....C..qo..S}...........|...a......Hn&.pX............z....'.k.... .ACDAOPIA.DLL.....?....F.O .ACEERR.DLL.."...;@....F.O .ACEEXCL.DLL..C...^F....F.O .ACEODTXT.DLL.......F....F.. .ActionsPanep..9.....;..............P...........g`......m..<y.Z.[X.4.X.B_B39D_A7A9EB6A7951..P....F....F.. .ACWZMAIN.ACCDE............F.. .ACWZTOOL.ACCDE..@4...`....F.. .ACWZUSR12.ACCDU.Z..........F .c...V...tV......+'.......A..........kt.P...=l;..^..Z..{&X.Z.9..DLL..%.........F.. .ADDINS.STORE..j..`#.....F#O .AdHocReportingExcelClient_resources_dll_32_1026.94CF6D16_6C48_4FC6_8570_3E1DCAp..|]...Y..(uI..M.....).........Ow.3

                            C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):249155585
                            Entropy (8bit):7.999931605163267
                            Encrypted:true
                            SSDEEP:
                            MD5:9E09A048941F51DAF21DB78B77A028B3
                            SHA1:BEEFD213E782788AC7048F38B43FAF945D397952
                            SHA-256:6248E5AF7CE2C8420E4144A6304B762B65F8B4D85C9A98B837921EEDEC764E07
                            SHA-512:6C9562BC18679CE151D4A6A1EA71F4D6CC5D9D23EAEA850B545764D18D76EF0FE3F9B608B847D27613DFB3F7619813CF42F6645D9D5EF864B52189282C444962
                            Malicious:true
                            Preview:....o....|....4....,...`........<2.PX...g3w..c...@..:b..| h.........+..........1..@...........E..........g...;...^...#.......!M].....k.$.....e.A.....q..............k.........5.......[.._.r..:..5.g...../...a....7.>..iq.aj....x]...C..:b...I.ACC14PL.CFG............F.. .ACCESSPL.DLL..49..5.....F.O .ACCICONS.EXE.....Hj9....F.O .ACCOLK.DLL..-....;....F.. .ACCSBAR.POC....C..qo..S}...........|...a......Hn&.pX............z....'.k.... .ACDAOPIA.DLL.....?....F.O .ACEERR.DLL.."...;@....F.O .ACEEXCL.DLL..C...^F....F.O .ACEODTXT.DLL.......F....F.. .ActionsPanep..9.....;..............P...........g`......m..<y.Z.[X.4.X.B_B39D_A7A9EB6A7951..P....F....F.. .ACWZMAIN.ACCDE............F.. .ACWZTOOL.ACCDE..@4...`....F.. .ACWZUSR12.ACCDU.Z..........F .c...V...tV......+'.......A..........kt.P...=l;..^..Z..{&X.Z.9..DLL..%.........F.. .ADDINS.STORE..j..`#.....F#O .AdHocReportingExcelClient_resources_dll_32_1026.94CF6D16_6C48_4FC6_8570_3E1DCAp..|]...Y..(uI..M.....).........Ow.3

                            C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\Setup.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:OpenPGP Secret Key
                            Category:dropped
                            Size (bytes):28096
                            Entropy (8bit):6.801218487789588
                            Encrypted:false
                            SSDEEP:
                            MD5:BF6FE01153AC3566C9379D96D32EFABC
                            SHA1:A98A3B53BF1062798E39D28D388F5031D2F7A24A
                            SHA-256:8AB40A2A3385217054045720867A837136E7AFDD8E466A8220E9CD6E106DB764
                            SHA-512:FE987BDC5159E34680DAA47C73CA7159D7D227FE8FB7329922D68FD4F7646D5D148DC2C148EA6F9FE035B6B6F11FD4331D72EE11F5DAF44A34015BC4EFD6B3A1
                            Malicious:false
                            Preview:.UU../E..x...Q.D....t8.p..?...C....3;X..hF....9.u.._....+.....Z1Rr28qghARqLdvYs4i2aUebCklNmnoD5nuDfBALSnEN8LJNteqBeAfK8bNy0fA98n11k9iFq7JlGPQeCVP2e9klhS8ixzDS0oUwyNWMEmg4hfXHS8vot+S/DO2dFJr6..Z..Ka)*n.....C....B..Y......rMD../.l..d4.....=n.9...p....nNBhadFX+gqIwh/45B0U6kMPswkN5T7jO585oeh26atONRLiqBAtC23W8N7vEwZWdnfN08yryNTEsyQW+tDuGrgx2UMXKhwOGcM9fXfbWAQUqwy8XJdS6lorLXTXHuuz..d..Ci.8X..#..<..P..p..l...;.E.eq....tI. >..,J|t6...".....t" ProductCode="{90160000-0011-0000-0000-0000000FF1CE}">...<PIDTemplate Value="82503&amp;amp;lt;````=````=````=````=`````&amp;am.QJ..Os32K..Na.|....x9.?..l.A....w....,..r...8L2 1....=....." DisallowAbsent="yes" DisallowAdvertise="yes" Hidden="yes"/>...<Option Id="OSpp" DefaultState="Local" DisallowAbsent="yes" Disa..B..kE......Q.....Y?.{..l.EWV....Z.. ..r..@{v.$.>...e.....ultState="Local" DisallowAbsent="yes" DisallowAdvertise="yes" Hidden="yes"/>...<Option Id="Gimme_OnDemandData" DefaultState="Loc.....f@..g..1......h3.=..8...Z....ga..

                            C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:OpenPGP Secret Key
                            Category:dropped
                            Size (bytes):28096
                            Entropy (8bit):6.801218487789588
                            Encrypted:false
                            SSDEEP:
                            MD5:BF6FE01153AC3566C9379D96D32EFABC
                            SHA1:A98A3B53BF1062798E39D28D388F5031D2F7A24A
                            SHA-256:8AB40A2A3385217054045720867A837136E7AFDD8E466A8220E9CD6E106DB764
                            SHA-512:FE987BDC5159E34680DAA47C73CA7159D7D227FE8FB7329922D68FD4F7646D5D148DC2C148EA6F9FE035B6B6F11FD4331D72EE11F5DAF44A34015BC4EFD6B3A1
                            Malicious:false
                            Preview:.UU../E..x...Q.D....t8.p..?...C....3;X..hF....9.u.._....+.....Z1Rr28qghARqLdvYs4i2aUebCklNmnoD5nuDfBALSnEN8LJNteqBeAfK8bNy0fA98n11k9iFq7JlGPQeCVP2e9klhS8ixzDS0oUwyNWMEmg4hfXHS8vot+S/DO2dFJr6..Z..Ka)*n.....C....B..Y......rMD../.l..d4.....=n.9...p....nNBhadFX+gqIwh/45B0U6kMPswkN5T7jO585oeh26atONRLiqBAtC23W8N7vEwZWdnfN08yryNTEsyQW+tDuGrgx2UMXKhwOGcM9fXfbWAQUqwy8XJdS6lorLXTXHuuz..d..Ci.8X..#..<..P..p..l...;.E.eq....tI. >..,J|t6...".....t" ProductCode="{90160000-0011-0000-0000-0000000FF1CE}">...<PIDTemplate Value="82503&amp;amp;lt;````=````=````=````=`````&amp;am.QJ..Os32K..Na.|....x9.?..l.A....w....,..r...8L2 1....=....." DisallowAbsent="yes" DisallowAdvertise="yes" Hidden="yes"/>...<Option Id="OSpp" DefaultState="Local" DisallowAbsent="yes" Disa..B..kE......Q.....Y?.{..l.EWV....Z.. ..r..@{v.$.>...e.....ultState="Local" DisallowAbsent="yes" DisallowAdvertise="yes" Hidden="yes"/>...<Option Id="Gimme_OnDemandData" DefaultState="Loc.....f@..g..1......h3.=..8...Z....ga..

                            C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):203242
                            Entropy (8bit):7.226275049150236
                            Encrypted:false
                            SSDEEP:
                            MD5:E023A8F754E20D7866045CAAB9EC2083
                            SHA1:FDC5873E2E87A40A0E83F30299664F855B374C8A
                            SHA-256:94A3C5C9FAC0502D2CE268B678F1F98D9853C100BBA716BF7A72EDCACEF4E76A
                            SHA-512:4CD4532D35328A5123CA6DC22721A457FC3965CBF01FC1A78BCCFDB6B8FBB3286B145E316ACAAC725689CD4DA81ECF878EBFBD6B55EB241C3E3A982BCF35F0C2
                            Malicious:false
                            Preview:.b...<.%I..XG..B.....b.b.t.}e4..i.j.{:u .S...h.W.|x...Qnb3[e.Oi........!..L.!This program cannot be run in DOS mode....$.........%..v..v..v-..w..vk..v..vk..v..v..v..vk..v..vk..v...v(!Q.U.mSw\./t..49. ...v......:.....a....BK....z%.....'<.P3....................PE..L......U.................<...................`....@..........................0............@.................C8D..<.%M..X.l.B[...jb.b.t.}.2..i.j.{:u `Q...h.W..x...Q.(1[!.Oi............................@............P...............................text....;.......<.................. ..`.rdata..\....P..C.D..|.%M..X.l.B....Nb.".....4..~.j..8u .S...j.W.|x...Qnb3[5.O..rsrc...............................@..@.reloc..............................@..B................................................C8D..<.%M..X.l.B.....b.b.t.}e4..i.j.{:u .S...h.W.|x...Qnb3[u.Oi................................................................................................................................C8D..<.%M..X.l.B.....b.b.t.}e4..i.j.{:u

                            C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):203242
                            Entropy (8bit):7.226275049150236
                            Encrypted:false
                            SSDEEP:
                            MD5:E023A8F754E20D7866045CAAB9EC2083
                            SHA1:FDC5873E2E87A40A0E83F30299664F855B374C8A
                            SHA-256:94A3C5C9FAC0502D2CE268B678F1F98D9853C100BBA716BF7A72EDCACEF4E76A
                            SHA-512:4CD4532D35328A5123CA6DC22721A457FC3965CBF01FC1A78BCCFDB6B8FBB3286B145E316ACAAC725689CD4DA81ECF878EBFBD6B55EB241C3E3A982BCF35F0C2
                            Malicious:false
                            Preview:.b...<.%I..XG..B.....b.b.t.}e4..i.j.{:u .S...h.W.|x...Qnb3[e.Oi........!..L.!This program cannot be run in DOS mode....$.........%..v..v..v-..w..vk..v..vk..v..v..v..vk..v..vk..v...v(!Q.U.mSw\./t..49. ...v......:.....a....BK....z%.....'<.P3....................PE..L......U.................<...................`....@..........................0............@.................C8D..<.%M..X.l.B[...jb.b.t.}.2..i.j.{:u `Q...h.W..x...Q.(1[!.Oi............................@............P...............................text....;.......<.................. ..`.rdata..\....P..C.D..|.%M..X.l.B....Nb.".....4..~.j..8u .S...j.W.|x...Qnb3[5.O..rsrc...............................@..@.reloc..............................@..B................................................C8D..<.%M..X.l.B.....b.b.t.}e4..i.j.{:u .S...h.W.|x...Qnb3[u.Oi................................................................................................................................C8D..<.%M..X.l.B.....b.b.t.}e4..i.j.{:u

                            C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\osetup.dll

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):9833442
                            Entropy (8bit):6.386071762477098
                            Encrypted:false
                            SSDEEP:
                            MD5:FC1232628D6CFAC9DB6488C87C5A73A7
                            SHA1:5354858DFBCC17306986FFC6D276C3134CC7D670
                            SHA-256:31F38A8050E07B0B826C94A6FC81A326C21E9FA89A5AA71CAF31A3FE3339C7D5
                            SHA-512:8D92F7BD6BDC52BB441B479C602C7C825FA8326307CE478ACEA3CAE11308E1E1A67DDF518E0B6C9FDEF53EE64F656356F9937727089A53F46E589737C6CAF52B
                            Malicious:false
                            Preview:x%...i.FT+.....Z.k...... .....<G.F.z..S....o.V.y..,..'...l.p.........!..L.!This program cannot be run in DOS mode....$.......U....n..n..n...+.#n..7..n..7.`n..7.Rn...)..n..7..n...e.......MT.5.U....T..:"m........S..-a.Rh.....G.O......9.7.(j..7%..n..7..n.Rich.n.........................PE..L......U...........-......3...b.......'......P3.....................3.K..i.FP...Bc.Z..d...J.`.....<G.F.z..S......V.".,...'.nal-q.............................p....3.T...................\._......._.@............ 3.....D.c......................text.....3.....5yy..m.FP+..Bg.ZKk......Ni..ob<G...z..`..>.o.e.y..,..'...l.q...data.........c.......c.............@....tls.................t..............@....rsrc................v..............@..@.reloc....N...HFPY..B.~ZKk......`...[.<..F.z..S....o.V.y..,..'...l.q.................................................................................................................................5.J..i.FP+..Bg.ZKk......`.....<G.F.z..S.

                            C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):9833442
                            Entropy (8bit):6.386071762477098
                            Encrypted:false
                            SSDEEP:
                            MD5:FC1232628D6CFAC9DB6488C87C5A73A7
                            SHA1:5354858DFBCC17306986FFC6D276C3134CC7D670
                            SHA-256:31F38A8050E07B0B826C94A6FC81A326C21E9FA89A5AA71CAF31A3FE3339C7D5
                            SHA-512:8D92F7BD6BDC52BB441B479C602C7C825FA8326307CE478ACEA3CAE11308E1E1A67DDF518E0B6C9FDEF53EE64F656356F9937727089A53F46E589737C6CAF52B
                            Malicious:false
                            Preview:x%...i.FT+.....Z.k...... .....<G.F.z..S....o.V.y..,..'...l.p.........!..L.!This program cannot be run in DOS mode....$.......U....n..n..n...+.#n..7..n..7.`n..7.Rn...)..n..7..n...e.......MT.5.U....T..:"m........S..-a.Rh.....G.O......9.7.(j..7%..n..7..n.Rich.n.........................PE..L......U...........-......3...b.......'......P3.....................3.K..i.FP...Bc.Z..d...J.`.....<G.F.z..S......V.".,...'.nal-q.............................p....3.T...................\._......._.@............ 3.....D.c......................text.....3.....5yy..m.FP+..Bg.ZKk......Ni..ob<G...z..`..>.o.e.y..,..'...l.q...data.........c.......c.............@....tls.................t..............@....rsrc................v..............@..@.reloc....N...HFPY..B.~ZKk......`...[.<..F.z..S....o.V.y..,..'...l.q.................................................................................................................................5.J..i.FP+..Bg.ZKk......`.....<G.F.z..S.

                            C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):590837
                            Entropy (8bit):7.077041178843877
                            Encrypted:false
                            SSDEEP:
                            MD5:F5136C873EF328692841FEF7DD8DC104
                            SHA1:5F83C8CA13A4F1C3F853F668EF98FE0402D2BEB1
                            SHA-256:3016A0F68E190B9548B4D04C51AB1EDCEA5787F6AF1DF73271506C2BEA6DDB63
                            SHA-512:04B087A0D29940F426BE166357CAB128DD04DF0F76F8AE7FA31F828A030FBD0C54A9B2AF966E65BFB48B15ADB808B6E5A2135A538618DD9DFC5ABB4E290D6734
                            Malicious:false
                            Preview:..g.'yk......u.v....p.(*[R..Ylb'..y..PR...s.;.[.<..e.....*9:.rg="urn:mpeg:mpeg21:2003:01-REL-R-NS"><r:license xmlns:r="urn:mpeg:mpeg21:2003:01-REL-R-NS" licenseId="{6040a6e7-445d-4609-b6c4-Du.z66.N.....:.&.O.!.pfMO.Z{:b..o..@\.^.z.b....?.D.Z....>:%.s:mx="urn:mpeg:mpeg21:2003:01-REL-MX-NS" xmlns:sl="http://www.microsoft.com/DRM/XrML2/SL/v2" xmlns:tm="http://www.microsoft.com/8F..@sK.......(.u....;.!!.e..{+m+..S......N.i. .Z.,..\..... >..ration</r:title><r:issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="h.`..7.q.Z....u.$...=.b<JP.[|<4..=..N>....=. .s.;..s.6.../#!.="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference><Transforms><Transform Algorithm="urn:mpeg:mpeg21:2003:01-REL-R-NS:lic.z..Lsg.^....5.w.].!."6U...Pd-l..r......T.f.%...&..x......):f.rml/lwc14n"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>6X/xqRuE0xDP15xTDTpGJIpJ'..%=).D....{.>......+!JX..R5c*..x...$

                            C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):590837
                            Entropy (8bit):7.077041178843877
                            Encrypted:false
                            SSDEEP:
                            MD5:F5136C873EF328692841FEF7DD8DC104
                            SHA1:5F83C8CA13A4F1C3F853F668EF98FE0402D2BEB1
                            SHA-256:3016A0F68E190B9548B4D04C51AB1EDCEA5787F6AF1DF73271506C2BEA6DDB63
                            SHA-512:04B087A0D29940F426BE166357CAB128DD04DF0F76F8AE7FA31F828A030FBD0C54A9B2AF966E65BFB48B15ADB808B6E5A2135A538618DD9DFC5ABB4E290D6734
                            Malicious:false
                            Preview:..g.'yk......u.v....p.(*[R..Ylb'..y..PR...s.;.[.<..e.....*9:.rg="urn:mpeg:mpeg21:2003:01-REL-R-NS"><r:license xmlns:r="urn:mpeg:mpeg21:2003:01-REL-R-NS" licenseId="{6040a6e7-445d-4609-b6c4-Du.z66.N.....:.&.O.!.pfMO.Z{:b..o..@\.^.z.b....?.D.Z....>:%.s:mx="urn:mpeg:mpeg21:2003:01-REL-MX-NS" xmlns:sl="http://www.microsoft.com/DRM/XrML2/SL/v2" xmlns:tm="http://www.microsoft.com/8F..@sK.......(.u....;.!!.e..{+m+..S......N.i. .Z.,..\..... >..ration</r:title><r:issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="h.`..7.q.Z....u.$...=.b<JP.[|<4..=..N>....=. .s.;..s.6.../#!.="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference><Transforms><Transform Algorithm="urn:mpeg:mpeg21:2003:01-REL-R-NS:lic.z..Lsg.^....5.w.].!."6U...Pd-l..r......T.f.%...&..x......):f.rml/lwc14n"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>6X/xqRuE0xDP15xTDTpGJIpJ'..%=).D....{.>......+!JX..R5c*..x...$

                            C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.dll

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):608250
                            Entropy (8bit):6.46323965715756
                            Encrypted:false
                            SSDEEP:
                            MD5:75BAA8DFF6DA95D6F5CE17AF43BD6EFE
                            SHA1:CED6B5606B35252088A708F357B903F14BBFDC96
                            SHA-256:7A225849BD3914AD587042651CD873F421988A27426213E894EDCC6C151C455D
                            SHA-512:3B7ECD1425C2BBF2FD3E5F73920EF8821B18A08AD8947C563928E69AD130A48360B1FB0618F2D26A7074F3E55BFC945204D5D880AAD31B39DDD830CA4CE23F62
                            Malicious:false
                            Preview:(.A.v..e......NRu..J')..-.9.PUO..S....Q..*[.>..f.:........Q...a........!..L.!This program cannot be run in DOS mode....$.......|zI.8.'.8.'.8.'..B#.>.'..J.?.'..Z.:.'....0.'....-.'.8.&...'.....C....*3..7..f.x.o<.uIo..+Kr.,.qL..0C..k%.:...F..X........B..9.'..B%.9.'.Rich8.'.................PE..L...Y..U...........-...................................................................w..d....[<.N.u..J7)..-.9.PUO..U..Q..,[i>..fS<...}....Q...a.,.......0..8F......T...................P.......Xy..@...............X...d........................text...........................eD..U.....`/M.N....J.*..E.9..VO..S....Q..*[Q>.H.[........Q...a.R..................@....tls.................P..............@....rsrc...X............R..............@..@.reloc..8F...0...H......eD..u..e.....,...u..J')..-.9.PUO..S....Q..*[.>..f.:........Q...a................................................................................................................................eD..u..e....[,.N.u..J')..-.9.PUO..S....Q

                            C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.dll.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):608250
                            Entropy (8bit):6.46323965715756
                            Encrypted:false
                            SSDEEP:
                            MD5:75BAA8DFF6DA95D6F5CE17AF43BD6EFE
                            SHA1:CED6B5606B35252088A708F357B903F14BBFDC96
                            SHA-256:7A225849BD3914AD587042651CD873F421988A27426213E894EDCC6C151C455D
                            SHA-512:3B7ECD1425C2BBF2FD3E5F73920EF8821B18A08AD8947C563928E69AD130A48360B1FB0618F2D26A7074F3E55BFC945204D5D880AAD31B39DDD830CA4CE23F62
                            Malicious:false
                            Preview:(.A.v..e......NRu..J')..-.9.PUO..S....Q..*[.>..f.:........Q...a........!..L.!This program cannot be run in DOS mode....$.......|zI.8.'.8.'.8.'..B#.>.'..J.?.'..Z.:.'....0.'....-.'.8.&...'.....C....*3..7..f.x.o<.uIo..+Kr.,.qL..0C..k%.:...F..X........B..9.'..B%.9.'.Rich8.'.................PE..L...Y..U...........-...................................................................w..d....[<.N.u..J7)..-.9.PUO..U..Q..,[i>..fS<...}....Q...a.,.......0..8F......T...................P.......Xy..@...............X...d........................text...........................eD..U.....`/M.N....J.*..E.9..VO..S....Q..*[Q>.H.[........Q...a.R..................@....tls.................P..............@....rsrc...X............R..............@..@.reloc..8F...0...H......eD..u..e.....,...u..J')..-.9.PUO..S....Q..*[.>..f.:........Q...a................................................................................................................................eD..u..e....[,.N.u..J')..-.9.PUO..S....Q

                            C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):237050
                            Entropy (8bit):5.401030939777094
                            Encrypted:false
                            SSDEEP:
                            MD5:EFDBD54FAC46EF08CD56D3147F7027C9
                            SHA1:A57C67D87A4E1BD66B5338A28AE5516F31F1FAE1
                            SHA-256:8E775E4EC8A8A47961CCB264CB39FD0EFB9E32CCB714A531AAE430C0A80A5AAB
                            SHA-512:785B5AE5D8A549CC93490A4981A6D91EFAB832185053156DB2FFE4DC4DBDBC89E3D22586174E268686EA3031C30ED84E5EE8DF75E9B9FEA7BCE5C86BF2ED2430
                            Malicious:false
                            Preview:sO.E_P... ....4.be...Ku.....~..O;.#...<{..>.....AV}.1.;.<..a.7........!..L.!This program cannot be run in DOS mode....$..........Z..Z..Z....(.S....*. ....+.B.....K.....x.....K....r...K..d.T..1r.o~..A.."g%.(.(.HZn..|..V.:&Y..AV}.1.;.<..`.7........PE..L...?..U..........................................@..................................~....@.........................>.DE\P.."...yF4..u...w.T...~..O;v ...<{.g.>....c.AV).1.;.<..`.7....................@...............(...,...@....................text.............................. ..`.rdata..>G.......H......>.DE\P... ...F4.....Ku.....~o.O;.#..1<{..>.....AV=.1D..O..`.7X...........................@..@.reloc...............t..............@..B........................................................>.DE\P... ..QF4..e...Ku.T...~..O;.#...<{..>.....AV}.1.;.<..`.7................................................................................................................................>.DE\P... ..QF4..e...Ku.T...~..O;.#...<{

                            C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):237050
                            Entropy (8bit):5.401030939777094
                            Encrypted:false
                            SSDEEP:
                            MD5:EFDBD54FAC46EF08CD56D3147F7027C9
                            SHA1:A57C67D87A4E1BD66B5338A28AE5516F31F1FAE1
                            SHA-256:8E775E4EC8A8A47961CCB264CB39FD0EFB9E32CCB714A531AAE430C0A80A5AAB
                            SHA-512:785B5AE5D8A549CC93490A4981A6D91EFAB832185053156DB2FFE4DC4DBDBC89E3D22586174E268686EA3031C30ED84E5EE8DF75E9B9FEA7BCE5C86BF2ED2430
                            Malicious:false
                            Preview:sO.E_P... ....4.be...Ku.....~..O;.#...<{..>.....AV}.1.;.<..a.7........!..L.!This program cannot be run in DOS mode....$..........Z..Z..Z....(.S....*. ....+.B.....K.....x.....K....r...K..d.T..1r.o~..A.."g%.(.(.HZn..|..V.:&Y..AV}.1.;.<..`.7........PE..L...?..U..........................................@..................................~....@.........................>.DE\P.."...yF4..u...w.T...~..O;v ...<{.g.>....c.AV).1.;.<..`.7....................@...............(...,...@....................text.............................. ..`.rdata..>G.......H......>.DE\P... ...F4.....Ku.....~o.O;.#..1<{..>.....AV=.1D..O..`.7X...........................@..@.reloc...............t..............@..B........................................................>.DE\P... ..QF4..e...Ku.T...~..O;.#...<{..>.....AV}.1.;.<..`.7................................................................................................................................>.DE\P... ..QF4..e...Ku.T...~..O;.#...<{

                            C:\MSOCache\All Users\{90160000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):5769880
                            Entropy (8bit):7.999656053069699
                            Encrypted:true
                            SSDEEP:
                            MD5:B552A9089ED105BE914E9AB54D5948DB
                            SHA1:70550DB9ED93F9A40BE9FF799DF5416846F0DA9A
                            SHA-256:A50CF2AF0C47CCDDF34C34B99262F0AA11BC0DEF1C100EAA0CE7E94ADF4B3D06
                            SHA-512:52983966A46CE6B1D42E9B0D042108810E0B22E453217552618C0205398D73D1FB46D064044E33C223015DB8C0E76BA313D41B9AC5A1DBAE9A66C2281F86E6C0
                            Malicious:true
                            Preview:..t.....}.?...4.&.N......w.@..D...T.6.d.G.9.]..Uz.q.......4................F"O .ANALYS32.XLL_1033..2.........F.O .AS_ClientMsmdsrv_rll_32_1033.591605AC_46A6_49C2_9395_A3F7477D339D..&..xM..........D.|...MU.*.t............s...U.g.F,U-..c%.2...!.+.u.F7477D339D.(7..Ht%....F.O .AS_msolui110_rll_32_1033.591605AC_46A6_49C2_9395_A3F7477D339D.P...p.%....F"O .ATPVBAEN.XLAM_1033..G..T....?XB..?...9Na...R...#....t...x...<...X^:*............5. .BLOODPRESSURETRACKER_TP10073878.XLTX_1033..=....'....F.. .EXCEL.HXS_1033.m....O>....F.. .EXCEL_COL.HXC_1033.....CR>....F.. .EX..{...0.O.`....pr&.N.U.....A.D.....i.;...)'RR..eI........ .4..F.. .EXCEL_K_COL.HXK_1033.k....S>....F.. .EXCEL12.XLSX_1033.MJ..^j>....F.. .EXPENSEREPORT_TP10073879.XLTX_1033.Ov....>....F"O ...y...0.[.r....C..5N......wQ..d...w.+...].^P......A..*./.l.TX_1033..u...!B....F.. .PERSONALMONTHLYBUDGET_TP10073882.XLTX_1033.....N.B....F"O .PROCDB.XLAM_1033..N....M....F.. .PROTTPLN.DOC.....<C.......F&.n.V...'........p...

                            C:\MSOCache\All Users\{90160000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):5769880
                            Entropy (8bit):7.999656053069699
                            Encrypted:true
                            SSDEEP:
                            MD5:B552A9089ED105BE914E9AB54D5948DB
                            SHA1:70550DB9ED93F9A40BE9FF799DF5416846F0DA9A
                            SHA-256:A50CF2AF0C47CCDDF34C34B99262F0AA11BC0DEF1C100EAA0CE7E94ADF4B3D06
                            SHA-512:52983966A46CE6B1D42E9B0D042108810E0B22E453217552618C0205398D73D1FB46D064044E33C223015DB8C0E76BA313D41B9AC5A1DBAE9A66C2281F86E6C0
                            Malicious:true
                            Preview:..t.....}.?...4.&.N......w.@..D...T.6.d.G.9.]..Uz.q.......4................F"O .ANALYS32.XLL_1033..2.........F.O .AS_ClientMsmdsrv_rll_32_1033.591605AC_46A6_49C2_9395_A3F7477D339D..&..xM..........D.|...MU.*.t............s...U.g.F,U-..c%.2...!.+.u.F7477D339D.(7..Ht%....F.O .AS_msolui110_rll_32_1033.591605AC_46A6_49C2_9395_A3F7477D339D.P...p.%....F"O .ATPVBAEN.XLAM_1033..G..T....?XB..?...9Na...R...#....t...x...<...X^:*............5. .BLOODPRESSURETRACKER_TP10073878.XLTX_1033..=....'....F.. .EXCEL.HXS_1033.m....O>....F.. .EXCEL_COL.HXC_1033.....CR>....F.. .EX..{...0.O.`....pr&.N.U.....A.D.....i.;...)'RR..eI........ .4..F.. .EXCEL_K_COL.HXK_1033.k....S>....F.. .EXCEL12.XLSX_1033.MJ..^j>....F.. .EXPENSEREPORT_TP10073879.XLTX_1033.Ov....>....F"O ...y...0.[.r....C..5N......wQ..d...w.+...].^P......A..*./.l.TX_1033..u...!B....F.. .PERSONALMONTHLYBUDGET_TP10073882.XLTX_1033.....N.B....F"O .PROCDB.XLAM_1033..N....M....F.. .PROTTPLN.DOC.....<C.......F&.n.V...'........p...

                            C:\MSOCache\All Users\{90160000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2388282
                            Entropy (8bit):7.117799486726264
                            Encrypted:false
                            SSDEEP:
                            MD5:4FEFD7150B1C8B6471D67D4F9E4C80AA
                            SHA1:78928BF50FBF8D69E2FACBA141EB4350FDA97052
                            SHA-256:0DEBA169F69B6B348D1811A35DCD67BE93342E9D0D83F61517E7F336E78D0A9B
                            SHA-512:78BA8977114ADE92B055242DB51B3FBBD920BDAFACB9A49744699D1620D13FC4217D5E11C7D1D90DD0B01B50A99E91AEE50764B6A4F35481F67D46E0390DCDBB
                            Malicious:false
                            Preview:...k....H0.(.a....7...&...U..~.,..\..G......<.X"Tac,.p.Q.)..................................................................................................................................7.t..m.Y..9.Q...3..?..Mp....UR9.{._q.!8.mM'\-s.2......?.*.....................................................................................................................................7.t..m.Y..9.Q...3..?..Mp....UR9.{._q.!8.mM'\-s.2......?.*........................................................................................................................................RZ...H0.(.a....7...&..W...x.,..\..E......<.X"Tac,.p.S.).....................................................................................................................................RZ...H0.(.a....7...&..W...x.,..\..E......<.X"Tac,.p.S.).....................................................................................................................................RZ...H0.(.a....7...&..W...x.,..\..

                            C:\MSOCache\All Users\{90160000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2388282
                            Entropy (8bit):7.117799486726264
                            Encrypted:false
                            SSDEEP:
                            MD5:4FEFD7150B1C8B6471D67D4F9E4C80AA
                            SHA1:78928BF50FBF8D69E2FACBA141EB4350FDA97052
                            SHA-256:0DEBA169F69B6B348D1811A35DCD67BE93342E9D0D83F61517E7F336E78D0A9B
                            SHA-512:78BA8977114ADE92B055242DB51B3FBBD920BDAFACB9A49744699D1620D13FC4217D5E11C7D1D90DD0B01B50A99E91AEE50764B6A4F35481F67D46E0390DCDBB
                            Malicious:false
                            Preview:...k....H0.(.a....7...&...U..~.,..\..G......<.X"Tac,.p.Q.)..................................................................................................................................7.t..m.Y..9.Q...3..?..Mp....UR9.{._q.!8.mM'\-s.2......?.*.....................................................................................................................................7.t..m.Y..9.Q...3..?..Mp....UR9.{._q.!8.mM'\-s.2......?.*........................................................................................................................................RZ...H0.(.a....7...&..W...x.,..\..E......<.X"Tac,.p.S.).....................................................................................................................................RZ...H0.(.a....7...&..W...x.,..\..E......<.X"Tac,.p.S.).....................................................................................................................................RZ...H0.(.a....7...&..W...x.,..\..

                            C:\MSOCache\All Users\{90160000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2094
                            Entropy (8bit):7.766127127438384
                            Encrypted:false
                            SSDEEP:
                            MD5:F318DD3E3868D62228AC331D5C584C3E
                            SHA1:F0E4D3D03B137671B20D6E37EEF685426B6DBDA4
                            SHA-256:2FA97A785704825C1A244EF0EEEDB4C168A6BDA259E44A5B4DA246CCD83520E7
                            SHA-512:3F8BD778ABE7B014ED6A9AC3DCC4FF8EFD0300ADE7BD765B13F7DAAEFBDCE9E90D0C586C1C1FDA9EB31840FBC04E70CCD269D68135D8D042905129C32C6A755B
                            Malicious:false
                            Preview:.t.V)L...}....I...f*.c...<..)..^..9.<..q<.Q.L.[..yX...b.p."..8...^?U?..,........'W..Tb./G..y.}mFE..!+.?.03x:.V9....d.z..O.f.9.p.<....n...!..%|*p...1.-<..n.dT.1..&*./.X.K..Mj..J.,.\..^.q.3.U2/)...L...+..+)*s......g.....%....`0./.F\{8`y^..8.`.Z.fn.k...K".....V.......3.%Q..71..S..p.LnMe...P...T5Nxo.F....M.S..E.P...M,T;..l.........>.U..(...Z..r.ysOx...v.:.N(P.*i~....l.~..D.^.z.at.....m........%.n..o.o5....UxHc..mT.A.D.|+5a^....8.B.tc.c.v.v.%\..`........9...+p..n..Q.Z&.3..o=...e.|:.Co..P.,...d..#.{..sAN...9....U...v.@0..S..?)..k.b~Qq..# .M./Q1zk.=..B.$...&X.f.?.Z+....)....K...*..f...o.:3....>..D..9h...H."l.Th..3.q._..g.z...r+....'.......d~A2.[j.|..1.{kWk...x.\.e\=.!On....|.p..q...8..{at...R.......LFLF...'.'+....csJv..,....I.{*<BB....$...v..|.?..p[M...*....D../ .R..B...)..Q.QIB`..9U...d.=ag!...].p.E.&R...B.} ....4....?..#.?n...3.&O..Y..XLq..o-.B..h.r.\.....p...0..T.&.^.#...u.......xBz..$7.6~....>..D..9h...H."l.Th..!.x.]..^.v...O)3O...6......wwG8.\_.K...H.]tMP..

                            C:\MSOCache\All Users\{90160000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2094
                            Entropy (8bit):7.766127127438384
                            Encrypted:false
                            SSDEEP:
                            MD5:F318DD3E3868D62228AC331D5C584C3E
                            SHA1:F0E4D3D03B137671B20D6E37EEF685426B6DBDA4
                            SHA-256:2FA97A785704825C1A244EF0EEEDB4C168A6BDA259E44A5B4DA246CCD83520E7
                            SHA-512:3F8BD778ABE7B014ED6A9AC3DCC4FF8EFD0300ADE7BD765B13F7DAAEFBDCE9E90D0C586C1C1FDA9EB31840FBC04E70CCD269D68135D8D042905129C32C6A755B
                            Malicious:false
                            Preview:.t.V)L...}....I...f*.c...<..)..^..9.<..q<.Q.L.[..yX...b.p."..8...^?U?..,........'W..Tb./G..y.}mFE..!+.?.03x:.V9....d.z..O.f.9.p.<....n...!..%|*p...1.-<..n.dT.1..&*./.X.K..Mj..J.,.\..^.q.3.U2/)...L...+..+)*s......g.....%....`0./.F\{8`y^..8.`.Z.fn.k...K".....V.......3.%Q..71..S..p.LnMe...P...T5Nxo.F....M.S..E.P...M,T;..l.........>.U..(...Z..r.ysOx...v.:.N(P.*i~....l.~..D.^.z.at.....m........%.n..o.o5....UxHc..mT.A.D.|+5a^....8.B.tc.c.v.v.%\..`........9...+p..n..Q.Z&.3..o=...e.|:.Co..P.,...d..#.{..sAN...9....U...v.@0..S..?)..k.b~Qq..# .M./Q1zk.=..B.$...&X.f.?.Z+....)....K...*..f...o.:3....>..D..9h...H."l.Th..3.q._..g.z...r+....'.......d~A2.[j.|..1.{kWk...x.\.e\=.!On....|.p..q...8..{at...R.......LFLF...'.'+....csJv..,....I.{*<BB....$...v..|.?..p[M...*....D../ .R..B...)..Q.QIB`..9U...d.=ag!...].p.E.&R...B.} ....4....?..#.?n...3.&O..Y..XLq..o-.B..h.r.\.....p...0..T.&.^.#...u.......xBz..$7.6~....>..D..9h...H."l.Th..!.x.]..^.v...O)3O...6......wwG8.\_.K...H.]tMP..

                            C:\MSOCache\All Users\{90160000-0016-0409-0000-0000000FF1CE}-C\Setup.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2796
                            Entropy (8bit):7.834624537450112
                            Encrypted:false
                            SSDEEP:
                            MD5:9FF45CD0F7311F8F29AC2E6DF823A404
                            SHA1:3CB386C4CF396144037CA2042292E9D1EFE0C526
                            SHA-256:73B45C99B14126A8F54D5E693B301CDF34ACF13ED03B6A688AB51035DF363202
                            SHA-512:C0AD018ED34D6BBE7CCB73BF4644C78FFACF79C53B1B32E227BC8A6EE6F288858D89EB3B2A53F14F9BDDC55010ADA8C7A4624FDEF3F31645E9A85560B4BEAFC3
                            Malicious:false
                            Preview:....OjCMr....'.x......u.N...uE...V.*..4.XH....8..t...Af......PL.r_T...V..+.Q....=N6....**.U>.F..A.@|.......p)...^N.....6A.LpC..V..g.m....PN<4...f...j;..h.T.Dq#..1....7...Bx.....Q.ymaG...U....H.....4i.&...E..7b....F.NBg......+...P......Wz.zOc.....4..*.e......S ....&.._>.RP.u.~F5......$$...CG.....,k+tqu....H..'.A.....o.A...C...v...s.S.`T.../...9...r}......sy..I....1..*.....>&K^../;.O..i\.;..f?..$...3`...WR.......@..PQw.....@..-.n.....w.....1...O...5...Hu.../M..}`..FN......F...D....q..).F......wDS...r..M).S].m.%|?..a)..!...fS......._.3P["....`..j.F....m.Z<...|...^U.gQ.t.XJ4..,....#....s........B>P."....'..!.B....h.....j....,.SY.u.pD>..3...%...T........_.3P[".....9..<.L...EK.....g.._...|...ri... ...b...K.......T.W[e...`..h.J.....Z.....z............9...(....&....t.......@..PNa....d..u.o...G_.....|..I..T..w.%%... ...7...UC......@.G?!....l..h.G......w'....U..IJ.d].x.kq...5...-............b(FMn....'..!.B....m.....vU..UJ.-

                            C:\MSOCache\All Users\{90160000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2796
                            Entropy (8bit):7.834624537450112
                            Encrypted:false
                            SSDEEP:
                            MD5:9FF45CD0F7311F8F29AC2E6DF823A404
                            SHA1:3CB386C4CF396144037CA2042292E9D1EFE0C526
                            SHA-256:73B45C99B14126A8F54D5E693B301CDF34ACF13ED03B6A688AB51035DF363202
                            SHA-512:C0AD018ED34D6BBE7CCB73BF4644C78FFACF79C53B1B32E227BC8A6EE6F288858D89EB3B2A53F14F9BDDC55010ADA8C7A4624FDEF3F31645E9A85560B4BEAFC3
                            Malicious:false
                            Preview:....OjCMr....'.x......u.N...uE...V.*..4.XH....8..t...Af......PL.r_T...V..+.Q....=N6....**.U>.F..A.@|.......p)...^N.....6A.LpC..V..g.m....PN<4...f...j;..h.T.Dq#..1....7...Bx.....Q.ymaG...U....H.....4i.&...E..7b....F.NBg......+...P......Wz.zOc.....4..*.e......S ....&.._>.RP.u.~F5......$$...CG.....,k+tqu....H..'.A.....o.A...C...v...s.S.`T.../...9...r}......sy..I....1..*.....>&K^../;.O..i\.;..f?..$...3`...WR.......@..PQw.....@..-.n.....w.....1...O...5...Hu.../M..}`..FN......F...D....q..).F......wDS...r..M).S].m.%|?..a)..!...fS......._.3P["....`..j.F....m.Z<...|...^U.gQ.t.XJ4..,....#....s........B>P."....'..!.B....h.....j....,.SY.u.pD>..3...%...T........_.3P[".....9..<.L...EK.....g.._...|...ri... ...b...K.......T.W[e...`..h.J.....Z.....z............9...(....&....t.......@..PNa....d..u.o...G_.....|..I..T..w.%%... ...7...UC......@.G?!....l..h.G......w'....U..IJ.d].x.kq...5...-............b(FMn....'..!.B....m.....vU..UJ.-

                            C:\MSOCache\All Users\{90160000-0016-0409-0000-0000000FF1CE}-C\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\MSOCache\All Users\{90160000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2388282
                            Entropy (8bit):7.137544887266395
                            Encrypted:false
                            SSDEEP:
                            MD5:A52874989F5FDB723F4E63BA44E5CBD9
                            SHA1:C1AC7741AA32D4B083D498DDA2E669DAD76FA564
                            SHA-256:B6A7A176FAED678A81CF380ED58B05D3F1D90F9A79668D1EE7D51E5BDD2EB95E
                            SHA-512:B74FB4FFF97CFDA5B5FEE5F4D0B1ED3AE5C5D23419E3FA6211ABD968FC73E16BAB62869F5AE6A9E1696E0E63B8003351D64306B638C708EFAC63A51605BB00C1
                            Malicious:false
                            Preview:P... .L:.XC._.N.cI...v....-......(.H.....&j..q-D..M.].$y(x:..................................................................................................................................4..~..$.!...@..9..J2.eu.-2wE.oM.".bM.P.X.fB...). .....:.................................................................................................................................4..~..$.!...@..9..J2.eu.-2wE.oM.".bM.P.X.fB...). .....:...................................................................................................................................=.RV..XC._.N.cI...v..........(.H.....&j..q-D..M.].$y*x:....................................................................................................................................=.RV..XC._.N.cI...v..........(.H.....&j..q-D..M.].$y*x:....................................................................................................................................=.RV..XC._.N.cI...v..........(.H.

                            C:\MSOCache\All Users\{90160000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2388282
                            Entropy (8bit):7.137544887266395
                            Encrypted:false
                            SSDEEP:
                            MD5:A52874989F5FDB723F4E63BA44E5CBD9
                            SHA1:C1AC7741AA32D4B083D498DDA2E669DAD76FA564
                            SHA-256:B6A7A176FAED678A81CF380ED58B05D3F1D90F9A79668D1EE7D51E5BDD2EB95E
                            SHA-512:B74FB4FFF97CFDA5B5FEE5F4D0B1ED3AE5C5D23419E3FA6211ABD968FC73E16BAB62869F5AE6A9E1696E0E63B8003351D64306B638C708EFAC63A51605BB00C1
                            Malicious:false
                            Preview:P... .L:.XC._.N.cI...v....-......(.H.....&j..q-D..M.].$y(x:..................................................................................................................................4..~..$.!...@..9..J2.eu.-2wE.oM.".bM.P.X.fB...). .....:.................................................................................................................................4..~..$.!...@..9..J2.eu.-2wE.oM.".bM.P.X.fB...). .....:...................................................................................................................................=.RV..XC._.N.cI...v..........(.H.....&j..q-D..M.].$y*x:....................................................................................................................................=.RV..XC._.N.cI...v..........(.H.....&j..q-D..M.].$y*x:....................................................................................................................................=.RV..XC._.N.cI...v..........(.H.

                            C:\MSOCache\All Users\{90160000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1975
                            Entropy (8bit):7.737544643314397
                            Encrypted:false
                            SSDEEP:
                            MD5:C6BBD3B4EA05B7CDAADEC3C89E4DFF0A
                            SHA1:5DFED85C22819F31BB1E59B1EF5CFFB3D26B6C9C
                            SHA-256:F9EB9A2FF0B0A2B4652976FCE982FCB73D284D833D17289982A5D7DA71687D89
                            SHA-512:CF7120557DAA0A9BD4967E7F55CF09CAD3CA8F3646790B43A348AF6972D442C907136AF7552BC3235D3A3B555D4B60A44735AD8C61BCAA6F00C4E12B9A4BA758
                            Malicious:false
                            Preview:VU..Y....j....QX.9......lp(z.\fY.. ?....%..@=.8-...O.. ......X..^w.>...3....3..Q|.....s}!.BnSM.Up....]...y...,....'..".......%.<W.!..q...('.c....AZ.+SDui..Fh....g...cG.'O...m...........By....:......./u....1,=6Sx&...<....)...JO..A...!+.C....%'..a.%..6...5.._v.....n\?=Sjpw..[x..n..?;..!....%........^.... ..h....S..~N.....WL.!..Er..oF...7...?...D=...Z.........>.!_.1...`../F.ie.....P#bj.$...ak....M...]....(...a>.;.....HJ..E.H..J......9v.....jw!3h|[...K"...w...0P..DZ...z.......H..]..E.......MF.+.....(..w.."...3C....I...h........#].\....ZZ.O.....`......|C....6<o.IHfY.o=....&...N......5:.O.....)...P.....1...?G.(.....q#mv.. ...2"........y..&....qN.3........Y....=...O0.zR.......s.@HfJ.."I...T...c0..>...f:......HJ..F.H...6...m|........kL*!.`v...RT...w...x..[>...`..L.........P.<..D...?9._C.....dj.e.j}L.. 0.......}...*...\..P....%...X....w....m|.'......w{qJ/ .y.vu....`..........y..;....YY.Mv....2...PT..,...qw )wLt...?"...

                            C:\MSOCache\All Users\{90160000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1975
                            Entropy (8bit):7.737544643314397
                            Encrypted:false
                            SSDEEP:
                            MD5:C6BBD3B4EA05B7CDAADEC3C89E4DFF0A
                            SHA1:5DFED85C22819F31BB1E59B1EF5CFFB3D26B6C9C
                            SHA-256:F9EB9A2FF0B0A2B4652976FCE982FCB73D284D833D17289982A5D7DA71687D89
                            SHA-512:CF7120557DAA0A9BD4967E7F55CF09CAD3CA8F3646790B43A348AF6972D442C907136AF7552BC3235D3A3B555D4B60A44735AD8C61BCAA6F00C4E12B9A4BA758
                            Malicious:false
                            Preview:VU..Y....j....QX.9......lp(z.\fY.. ?....%..@=.8-...O.. ......X..^w.>...3....3..Q|.....s}!.BnSM.Up....]...y...,....'..".......%.<W.!..q...('.c....AZ.+SDui..Fh....g...cG.'O...m...........By....:......./u....1,=6Sx&...<....)...JO..A...!+.C....%'..a.%..6...5.._v.....n\?=Sjpw..[x..n..?;..!....%........^.... ..h....S..~N.....WL.!..Er..oF...7...?...D=...Z.........>.!_.1...`../F.ie.....P#bj.$...ak....M...]....(...a>.;.....HJ..E.H..J......9v.....jw!3h|[...K"...w...0P..DZ...z.......H..]..E.......MF.+.....(..w.."...3C....I...h........#].\....ZZ.O.....`......|C....6<o.IHfY.o=....&...N......5:.O.....)...P.....1...?G.(.....q#mv.. ...2"........y..&....qN.3........Y....=...O0.zR.......s.@HfJ.."I...T...c0..>...f:......HJ..F.H...6...m|........kL*!.`v...RT...w...x..[>...`..L.........P.<..D...?9._C.....dj.e.j}L.. 0.......}...*...\..P....%...X....w....m|.'......w{qJ/ .y.vu....`..........y..;....YY.Mv....2...PT..,...qw )wLt...?"...

                            C:\MSOCache\All Users\{90160000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):6310440
                            Entropy (8bit):7.999677078446772
                            Encrypted:true
                            SSDEEP:
                            MD5:FF92DEEB59288681212D5615863DFC48
                            SHA1:194E193F6CFE81C89EA1632019D101C45D382141
                            SHA-256:AF3124560597B5D578861F5FBD18D96CC110081F4FE005A6631BC5CACD60FDAA
                            SHA-512:0A3105DAB307C9F0E0F282B63218152B6ADE890255582952E8E480B6DCB21F0C6A97890280E42F1608C02E68CB6FFD5661C57237D8FBF61706B5036AEF9337BE
                            Malicious:true
                            Preview:.c....S.E.j.UDm..~q.gf.".Z...Hz.dcxFZ.....{...g.|Z....7rh....................F.P .CHART.XLSRVINTL.DLL_1033..T.........F.. .CLASSICPHOTOALBUM.POTX_1033..T...L.....F.. .CONTEMPORARYPHOTOALBUM......`'N`*.U....~q.!l........;Q0M;..F=...{...g..E...nq.8.w.INTL.DLL_1033....... ....F.. .PITCHBK.POT_1033.v....v#....F.. .POWERPNT.HXS_1033.|.....*....F.. .POWERPNT_COL.HXC_1033.......*.........[..8...2..2_B?2...h..Lz.2.RRZ....[;.00....z..h1'..p.1033.q....*....F.. .POWERPNT_K_COL.HXK_1033..Z..9.*....F.P .PPINTL.DLL_1033..W....<....F.. .PREVIEWTEMPLATE.POTX_1033.>....5A.........F..#...(..20^"T.q.....|I0dcHRZ\...{..z|.A..a..g>&..h..033.."..E.E....F.. .PROTTPLN.XLS_1033..0..E.F....F.. .PROTTPLV.PPT_1033.."..EDF....F.. .PROTTPLV.XLS_1033..v..EfF....F.. .QUIZSH.g......%~.Y...i.r.6.gf|g.@...6O)&(..\^...5o.15..k....j.z........F.. .TRAINING.POTX_1033.4....._....F.. .WIDESCREENPRESENTATION16X9.POTX_1033..&...jb....F"O .XLINTL32.DLL_1033..|..y.e....F"O .h....X..[.fwm..{..4f.zT.q..L0.d!xRN..

                            C:\MSOCache\All Users\{90160000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):6310440
                            Entropy (8bit):7.999677078446772
                            Encrypted:true
                            SSDEEP:
                            MD5:FF92DEEB59288681212D5615863DFC48
                            SHA1:194E193F6CFE81C89EA1632019D101C45D382141
                            SHA-256:AF3124560597B5D578861F5FBD18D96CC110081F4FE005A6631BC5CACD60FDAA
                            SHA-512:0A3105DAB307C9F0E0F282B63218152B6ADE890255582952E8E480B6DCB21F0C6A97890280E42F1608C02E68CB6FFD5661C57237D8FBF61706B5036AEF9337BE
                            Malicious:true
                            Preview:.c....S.E.j.UDm..~q.gf.".Z...Hz.dcxFZ.....{...g.|Z....7rh....................F.P .CHART.XLSRVINTL.DLL_1033..T.........F.. .CLASSICPHOTOALBUM.POTX_1033..T...L.....F.. .CONTEMPORARYPHOTOALBUM......`'N`*.U....~q.!l........;Q0M;..F=...{...g..E...nq.8.w.INTL.DLL_1033....... ....F.. .PITCHBK.POT_1033.v....v#....F.. .POWERPNT.HXS_1033.|.....*....F.. .POWERPNT_COL.HXC_1033.......*.........[..8...2..2_B?2...h..Lz.2.RRZ....[;.00....z..h1'..p.1033.q....*....F.. .POWERPNT_K_COL.HXK_1033..Z..9.*....F.P .PPINTL.DLL_1033..W....<....F.. .PREVIEWTEMPLATE.POTX_1033.>....5A.........F..#...(..20^"T.q.....|I0dcHRZ\...{..z|.A..a..g>&..h..033.."..E.E....F.. .PROTTPLN.XLS_1033..0..E.F....F.. .PROTTPLV.PPT_1033.."..EDF....F.. .PROTTPLV.XLS_1033..v..EfF....F.. .QUIZSH.g......%~.Y...i.r.6.gf|g.@...6O)&(..\^...5o.15..k....j.z........F.. .TRAINING.POTX_1033.4....._....F.. .WIDESCREENPRESENTATION16X9.POTX_1033..&...jb....F"O .XLINTL32.DLL_1033..|..y.e....F"O .h....X..[.fwm..{..4f.zT.q..L0.d!xRN..

                            C:\MSOCache\All Users\{90160000-0018-0409-0000-0000000FF1CE}-C\Setup.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2386
                            Entropy (8bit):7.776618243979623
                            Encrypted:false
                            SSDEEP:
                            MD5:3DCE076CBB5BC80031F80DA08DC44B48
                            SHA1:EE545CF0EDB35F72352001E28253790476003CBF
                            SHA-256:483E131849C77AED9A1BCC489D349502930623C11F24D83D19E3B5FAA237C3F7
                            SHA-512:0DB18552918B55F7FF3E71A50F4741B4619407664A98EB41DA5B85D809BCBAD3672AC22600831634DAAD7B5445DA09A2C9E09F774A1F7C5799B296536A09E978
                            Malicious:false
                            Preview:E..,....H...QY*.>'.\....}..z.g..Tk....$.N.a..U...a:-..N"..YFZ(..(..7.l...v.F.uA...P...r.%6.x.....M..`*.[..@..Q....l...3@..ydA!.5'../.^...S.d.#c.7.J..-.76.e..."j.,.....[..d...6E...TF..gR?...w..7.k...~ ;. V.7.3..U..6.K..Aw...85.<..k..X...0e0..3u..MKI..,.....}...f.F.UM.9....l.\..e...(.N..P^.&.....K...sc.../A..drb2..8 ...V...]3K.Yc...5..y.56.=....(j..Rv.P..t..H....@...+j..EQj=.......O...Y._.D~.3.)...M.@j......=V..P|.A..[..P...(!!..c.[\...^.&.6....F.g.t*.,....{..3.G../<O..k}.A.....".U3.......FA2[..6#...T...S.m.27......G..3./....(O..]q....C..b...(2f...2..fVn...6....H...ZY*.ud.\....z.O>.a..aC*..il....e.."...1j...%u..aAK...cb...[...l.i.u*.0.....4..4.~..-+P..m%.......i...0`3...u..fVjD..$1.Y.S...QY*.ud.S.v...[....|...Qks..}m....@.."...:n1..2d..j.-5.. ..Y.S...S...rd...F..g.M..a...>b..|j.......o...V.M...d..a.F..^...?.V.... m.qb......).!(.s..( P..uw."..I..=...~/....|..xdk...5+........i.....3....4..z.]...(Q..pt....h..a....{%..\2..|@a..\.+...V...].m.d*...Y..g..+.e...;W..|

                            C:\MSOCache\All Users\{90160000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2386
                            Entropy (8bit):7.776618243979623
                            Encrypted:false
                            SSDEEP:
                            MD5:3DCE076CBB5BC80031F80DA08DC44B48
                            SHA1:EE545CF0EDB35F72352001E28253790476003CBF
                            SHA-256:483E131849C77AED9A1BCC489D349502930623C11F24D83D19E3B5FAA237C3F7
                            SHA-512:0DB18552918B55F7FF3E71A50F4741B4619407664A98EB41DA5B85D809BCBAD3672AC22600831634DAAD7B5445DA09A2C9E09F774A1F7C5799B296536A09E978
                            Malicious:false
                            Preview:E..,....H...QY*.>'.\....}..z.g..Tk....$.N.a..U...a:-..N"..YFZ(..(..7.l...v.F.uA...P...r.%6.x.....M..`*.[..@..Q....l...3@..ydA!.5'../.^...S.d.#c.7.J..-.76.e..."j.,.....[..d...6E...TF..gR?...w..7.k...~ ;. V.7.3..U..6.K..Aw...85.<..k..X...0e0..3u..MKI..,.....}...f.F.UM.9....l.\..e...(.N..P^.&.....K...sc.../A..drb2..8 ...V...]3K.Yc...5..y.56.=....(j..Rv.P..t..H....@...+j..EQj=.......O...Y._.D~.3.)...M.@j......=V..P|.A..[..P...(!!..c.[\...^.&.6....F.g.t*.,....{..3.G../<O..k}.A.....".U3.......FA2[..6#...T...S.m.27......G..3./....(O..]q....C..b...(2f...2..fVn...6....H...ZY*.ud.\....z.O>.a..aC*..il....e.."...1j...%u..aAK...cb...[...l.i.u*.0.....4..4.~..-+P..m%.......i...0`3...u..fVjD..$1.Y.S...QY*.ud.S.v...[....|...Qks..}m....@.."...:n1..2d..j.-5.. ..Y.S...S...rd...F..g.M..a...>b..|j.......o...V.M...d..a.F..^...?.V.... m.qb......).!(.s..( P..uw."..I..=...~/....|..xdk...5+........i.....3....4..z.]...(Q..pt....h..a....{%..\2..|@a..\.+...V...].m.d*...Y..g..+.e...;W..|

                            C:\MSOCache\All Users\{90160000-0018-0409-0000-0000000FF1CE}-C\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\MSOCache\All Users\{90160000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):3561961
                            Entropy (8bit):7.999436914411064
                            Encrypted:true
                            SSDEEP:
                            MD5:763112C51BB1AC58F9713280CD066F7F
                            SHA1:9BCF8DC47A506BD7AB9FBEA3E23AC0AFBAF78281
                            SHA-256:386268A204588801616AE03355FFD38046D37F87A093F2D4F047386A6F2C8F97
                            SHA-512:3C1FF763419600CE6E09A250FF7E60BC97A42709F1458F9BDF06CEB8675B629CD89F87FD6E267F2B4DD3603F363812437B2F0CD2345DF090B33937ED974BC8D1
                            Malicious:true
                            Preview:.j......-.. i.....5..6..1...!$....]...r...w,.......Bk..CO_>...............F{. .FONTSCHM.INI_1033............F.Q .MOR6INT.DLL_1033.p..._......F.. .MSPUB.HXS_1033............F.. .MSPUB.OPG_.....Y..7.s. i.........f...r...i|.....n...b...M,......8.]~..qL.HXT_1033.r..........F.. .MSPUB_F_COL.HXK_1033.q...}......F.. .MSPUB_K_COL.HXK_1033.+..........F.. .PAPERS.INI_1033..;...........2..~..e......O.8...."..ba...!.........S.v'.e..1.6.o.k..X^_>..F.. .PDIR12F.GIF_1033..C........F.. .PDIR13F.GIF_1033..\.........F.. .PDIR14F.GIF_1033......K.....F.. .PDIR15F.GIF_1033..9..X..)....,...d .8cO.rg.....1q..!.........B.`M.~.F.B...s[.;<..>........F.. .PDIR18F.GIF_1033.O..........F.. .PDIR19F.GIF_1033............F.. .PDIR1B.GIF_1033.m....).....F.. .PDIR1F.GIF_1033....)Y.!..7..;I.Y.@.....q.......!Z..e.R...;.a,..I.7...".W.cl......|......F.. .PDIR22F.GIF_1033.;1..S......F.. .PDIR23F.GIF_1033............F.. .PDIR24F.GIF_1033..1..;......F.. .PDIR25F.GIF_.......7... i............w.g{.....

                            C:\MSOCache\All Users\{90160000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):3561961
                            Entropy (8bit):7.999436914411064
                            Encrypted:true
                            SSDEEP:
                            MD5:763112C51BB1AC58F9713280CD066F7F
                            SHA1:9BCF8DC47A506BD7AB9FBEA3E23AC0AFBAF78281
                            SHA-256:386268A204588801616AE03355FFD38046D37F87A093F2D4F047386A6F2C8F97
                            SHA-512:3C1FF763419600CE6E09A250FF7E60BC97A42709F1458F9BDF06CEB8675B629CD89F87FD6E267F2B4DD3603F363812437B2F0CD2345DF090B33937ED974BC8D1
                            Malicious:true
                            Preview:.j......-.. i.....5..6..1...!$....]...r...w,.......Bk..CO_>...............F{. .FONTSCHM.INI_1033............F.Q .MOR6INT.DLL_1033.p..._......F.. .MSPUB.HXS_1033............F.. .MSPUB.OPG_.....Y..7.s. i.........f...r...i|.....n...b...M,......8.]~..qL.HXT_1033.r..........F.. .MSPUB_F_COL.HXK_1033.q...}......F.. .MSPUB_K_COL.HXK_1033.+..........F.. .PAPERS.INI_1033..;...........2..~..e......O.8...."..ba...!.........S.v'.e..1.6.o.k..X^_>..F.. .PDIR12F.GIF_1033..C........F.. .PDIR13F.GIF_1033..\.........F.. .PDIR14F.GIF_1033......K.....F.. .PDIR15F.GIF_1033..9..X..)....,...d .8cO.rg.....1q..!.........B.`M.~.F.B...s[.;<..>........F.. .PDIR18F.GIF_1033.O..........F.. .PDIR19F.GIF_1033............F.. .PDIR1B.GIF_1033.m....).....F.. .PDIR1F.GIF_1033....)Y.!..7..;I.Y.@.....q.......!Z..e.R...;.a,..I.7...".W.cl......|......F.. .PDIR22F.GIF_1033.;1..S......F.. .PDIR23F.GIF_1033............F.. .PDIR24F.GIF_1033..1..;......F.. .PDIR25F.GIF_.......7... i............w.g{.....

                            C:\MSOCache\All Users\{90160000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2408762
                            Entropy (8bit):7.112066530806255
                            Encrypted:false
                            SSDEEP:
                            MD5:F3E4687F1A70CFC79927E5D3168FB202
                            SHA1:A258C03DFCD934B5E36D453545E07000084D4509
                            SHA-256:4F0F609BC8E12A371D059F3C238ECFCDB6668E8B81049FB721749E779685303C
                            SHA-512:EF27094168A2127646C55A76C82425112B5D42202B181251FC87281C579A39D65C1C0CED4B3E053BD149FA28A650632DC2DFDA5F107DC8ABE9C12E98B0C97C17
                            Malicious:false
                            Preview:..(....4...1aj....^...8.~.......9...f......"zw0...uO..K..`Y.....................................................................................................................................7...........v[...o.#.c...>-..:...=.#p..]....ZD..Tx.Z...~!...................................................................................................................................7...........v[...o.#.c...>-..:...=.#p..]....ZD..Tx.Z...~!.................................................................................................................................7w..nC..4...1aj....^...8.~..n....9...f......"zw1...uO..K..`[...................................................................................................................................7w..nC..4...1aj....^...8.~..n....9...f......"zw1...uO..K..`[...................................................................................................................................7w..nC..4...1aj....^...8.~..n....9...f..

                            C:\MSOCache\All Users\{90160000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2408762
                            Entropy (8bit):7.112066530806255
                            Encrypted:false
                            SSDEEP:
                            MD5:F3E4687F1A70CFC79927E5D3168FB202
                            SHA1:A258C03DFCD934B5E36D453545E07000084D4509
                            SHA-256:4F0F609BC8E12A371D059F3C238ECFCDB6668E8B81049FB721749E779685303C
                            SHA-512:EF27094168A2127646C55A76C82425112B5D42202B181251FC87281C579A39D65C1C0CED4B3E053BD149FA28A650632DC2DFDA5F107DC8ABE9C12E98B0C97C17
                            Malicious:false
                            Preview:..(....4...1aj....^...8.~.......9...f......"zw0...uO..K..`Y.....................................................................................................................................7...........v[...o.#.c...>-..:...=.#p..]....ZD..Tx.Z...~!...................................................................................................................................7...........v[...o.#.c...>-..:...=.#p..]....ZD..Tx.Z...~!.................................................................................................................................7w..nC..4...1aj....^...8.~..n....9...f......"zw1...uO..K..`[...................................................................................................................................7w..nC..4...1aj....^...8.~..n....9...f......"zw1...uO..K..`[...................................................................................................................................7w..nC..4...1aj....^...8.~..n....9...f..

                            C:\MSOCache\All Users\{90160000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1976
                            Entropy (8bit):7.77163005338989
                            Encrypted:false
                            SSDEEP:
                            MD5:BC8487D06DCBFD8662A4BC93CF556B28
                            SHA1:DB479A5DCF2FDE5C4DEFCDC898A3FA22F91A8645
                            SHA-256:52E3843105946F4D5AB140CA7FFEB22790EEFF9A6DF3E8F640D842186B32C175
                            SHA-512:025878B05492175A7C405E4A88693F57A42B1F11475EC1FC708C666FA228714D4587EA3AB3292186428C0256E3C0FA93F4D742C844DFAE63360731638F76E722
                            Malicious:false
                            Preview:...FW...0tB..F....<.X..=...|t...;~k.........&....[.Y..VC.5c...1LC'..(Pk.V6.....c..b.[.@8...Cfw!.............8B.k=$K......9).X9..wNl.|.....a.V...9...]3...|O*6.....7...[..;I.H15qo.Y...-,L6R..)x{..3...=.]....B._IM...JZ.......>..rR.g..kj.F.....dOK..4k@.KK...........!.v.gr...s~"5....)...A..mF."8.TE.E...J?[4...*{h..3...?....6.P.mH_..]t!I.....z........O.`'.GQ.?....?.....!*..b.....(.k..n.....L..Wo!..............0e.Xe.p...u....OJ_...?..M.....;.R..!.v.'M#...R%......s...J..&].e..zE.T,.LO.GM..s-...T....i.....c...9F6..qybF.....1...W...l..%y[(..Fg.])X....7QL.K.....h......B.oo....|xP.............L.3..|L..?..5.F.;..&nd.X......{.x...n...83A...Jo.....-.........d).wS..%....l....a2..&m....-.I...Y...la...Q$......#......!\.%..jL.Gg._Yi....a,...Q.....S.2...'.L.[e...P9b6.....#...E...K..W..jU..i.tEl....1x..HY....+.V.....W.V1@..$.......{.Z...H!.-..jI.....]0NJ_..!M_.A......T.2.6.W.{eN.=8...........-..'w....sA......[.4...~?...i...).R..6...m=R..Yi%9.

                            C:\MSOCache\All Users\{90160000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1976
                            Entropy (8bit):7.77163005338989
                            Encrypted:false
                            SSDEEP:
                            MD5:BC8487D06DCBFD8662A4BC93CF556B28
                            SHA1:DB479A5DCF2FDE5C4DEFCDC898A3FA22F91A8645
                            SHA-256:52E3843105946F4D5AB140CA7FFEB22790EEFF9A6DF3E8F640D842186B32C175
                            SHA-512:025878B05492175A7C405E4A88693F57A42B1F11475EC1FC708C666FA228714D4587EA3AB3292186428C0256E3C0FA93F4D742C844DFAE63360731638F76E722
                            Malicious:false
                            Preview:...FW...0tB..F....<.X..=...|t...;~k.........&....[.Y..VC.5c...1LC'..(Pk.V6.....c..b.[.@8...Cfw!.............8B.k=$K......9).X9..wNl.|.....a.V...9...]3...|O*6.....7...[..;I.H15qo.Y...-,L6R..)x{..3...=.]....B._IM...JZ.......>..rR.g..kj.F.....dOK..4k@.KK...........!.v.gr...s~"5....)...A..mF."8.TE.E...J?[4...*{h..3...?....6.P.mH_..]t!I.....z........O.`'.GQ.?....?.....!*..b.....(.k..n.....L..Wo!..............0e.Xe.p...u....OJ_...?..M.....;.R..!.v.'M#...R%......s...J..&].e..zE.T,.LO.GM..s-...T....i.....c...9F6..qybF.....1...W...l..%y[(..Fg.])X....7QL.K.....h......B.oo....|xP.............L.3..|L..?..5.F.;..&nd.X......{.x...n...83A...Jo.....-.........d).wS..%....l....a2..&m....-.I...Y...la...Q$......#......!\.%..jL.Gg._Yi....a,...Q.....S.2...'.L.[e...P9b6.....#...E...K..W..jU..i.tEl....1x..HY....+.V.....W.V1@..$.......{.Z...H!.-..jI.....]0NJ_..!M_.A......T.2.6.W.{eN.=8...........-..'w....sA......[.4...~?...i...).R..6...m=R..Yi%9.

                            C:\MSOCache\All Users\{90160000-0019-0409-0000-0000000FF1CE}-C\Setup.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2109
                            Entropy (8bit):7.773415931495382
                            Encrypted:false
                            SSDEEP:
                            MD5:D1EE69B440B7E6348B142CF75DF61B76
                            SHA1:AA7BA21273F58D54E56BC045C67C09493012EC63
                            SHA-256:F11E1555EAF535A18ACE9E06C5DB47AC5CB8AE94EC720312B4C628C22FE7CB01
                            SHA-512:11E31C8561B77DAFDC2E3855511B9583973E74750D494824BA384EE999B72686C96E594D96E1AB03E9445351480894CBA3E9312DF9A60AEB40E06DFB0079B60B
                            Malicious:false
                            Preview:[5<lIZ.......*./b}A.....=p.s..G.8..?g..G.?.Z.Q..86nW..zu.....as*VU.........\.W9.i.\L...Z..A...R..}9.>.6.s4A..1*#n..!j...y.b!LD>......J.4.l\.&M...s..V..-.i..@^..X...[.K...v.`z..iy...%.R}J.6.....].q..f./+..fO....G.$...L..5.).(v|...P/.7.2|...a#:.tt>........Q.z.rI.8J..&8..G....i...>..:...{.k...1..a...5...fTc.NA........+.zt.J..0..bc..6....,..f...&.!.A.o..DW$}.h*....%;.Y\/......J.x..h.. ..n:.....9.n...$..H...y(w..+.95..s:...3Z(.eA5........=.(F.....!Z..$....n..WP......7.....J.#q..qS....}%xV3.......;.z&<Q..+..'r.J....8..[......w2a...'.2k...s...:.}.eS........h.?.4@.....*r..)..`.&..F..J...7.m..Z+9\..0t...".(dE@.........&.S/>E.KX.. v..i........O...@.|2e..r%3n..%s...t.o7#.2........h.0~P..U7..:x..O.H.h..G......7a@..p.#K..%....9.k(#.>........h.q4`.......~..j....~..@....B.zc:....X.h..>t..kEZ1cu.........}.j,)w.....q[..g.J.s..^..+...{59..'D.q..=v...2.o6uL.........|.T......s.V....i..@%......p2&..c."t..%{...t!e(mJ.........r.~,1K.(...=c....H.^..S.

                            C:\MSOCache\All Users\{90160000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2109
                            Entropy (8bit):7.773415931495382
                            Encrypted:false
                            SSDEEP:
                            MD5:D1EE69B440B7E6348B142CF75DF61B76
                            SHA1:AA7BA21273F58D54E56BC045C67C09493012EC63
                            SHA-256:F11E1555EAF535A18ACE9E06C5DB47AC5CB8AE94EC720312B4C628C22FE7CB01
                            SHA-512:11E31C8561B77DAFDC2E3855511B9583973E74750D494824BA384EE999B72686C96E594D96E1AB03E9445351480894CBA3E9312DF9A60AEB40E06DFB0079B60B
                            Malicious:false
                            Preview:[5<lIZ.......*./b}A.....=p.s..G.8..?g..G.?.Z.Q..86nW..zu.....as*VU.........\.W9.i.\L...Z..A...R..}9.>.6.s4A..1*#n..!j...y.b!LD>......J.4.l\.&M...s..V..-.i..@^..X...[.K...v.`z..iy...%.R}J.6.....].q..f./+..fO....G.$...L..5.).(v|...P/.7.2|...a#:.tt>........Q.z.rI.8J..&8..G....i...>..:...{.k...1..a...5...fTc.NA........+.zt.J..0..bc..6....,..f...&.!.A.o..DW$}.h*....%;.Y\/......J.x..h.. ..n:.....9.n...$..H...y(w..+.95..s:...3Z(.eA5........=.(F.....!Z..$....n..WP......7.....J.#q..qS....}%xV3.......;.z&<Q..+..'r.J....8..[......w2a...'.2k...s...:.}.eS........h.?.4@.....*r..)..`.&..F..J...7.m..Z+9\..0t...".(dE@.........&.S/>E.KX.. v..i........O...@.|2e..r%3n..%s...t.o7#.2........h.0~P..U7..:x..O.H.h..G......7a@..p.#K..%....9.k(#.>........h.q4`.......~..j....~..@....B.zc:....X.h..>t..kEZ1cu.........}.j,)w.....q[..g.J.s..^..+...{59..'D.q..=v...2.o6uL.........|.T......s.V....i..@%......p2&..c."t..%{...t!e(mJ.........r.~,1K.(...=c....H.^..S.

                            C:\MSOCache\All Users\{90160000-0019-0409-0000-0000000FF1CE}-C\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\MSOCache\All Users\{90160000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):4009499
                            Entropy (8bit):7.999809964829567
                            Encrypted:true
                            SSDEEP:
                            MD5:AF40559312DCC311014EC876740806E1
                            SHA1:DB7033F4303DE879A02F49CF874C684DDC7A99B7
                            SHA-256:90DC15961EED94E4C3E263A7835C043E47449211911706D6462BAE4A80B223D5
                            SHA-512:4AB7DF839831B7881377B89D4FDC125F29A603597AB426946C8B12A638DE5D2105761AE0D2D2D61BCFC27B92D4B425F08149DEC52A2E289FD61437A7FD114F8B
                            Malicious:true
                            Preview:0..;...5V.."....+U.>...\u5P..j.a}.8......@............t#d..j.....6..........F.. .ACTIVITL.ICO_1033.....6......F.. .ACTIVITS.ICO_1033............F.. .ACTIVITY.CFG_1033............F.. .APPT.C;..L..-5.C9"....oU.x....$d.H..).>L....H...PC5...P...@.$w7s.)._1033.@....&.....F.. .CNFNOT.CFG_1033.6....'.....F.. .CNFNOT.ICO_1033.R...+,.....F.. .CNFRES.CFG_1033.....}-.....F.. .CONFLICT.I>..L..-5.D9".1..oU.xNn...;z.E..D.':......9.@J..........!.7l*..).L.ICO_1033.....x@.....F.. .CONTACTS.ICO_1033.o....L.....F.. .CURRENCY.GIF_1033.$....c.....F.. .CURRENCY.HTM_1033......e.....F.. }..9..Wg.i~k.WN>\f.....:t4P..../A}.m..].n..x..%......Dd].j8F.P .DELIMR.FAE_1033.%..........F.. .DISTLIST.CFG_1033.6.........F.. .DISTLSTL.ICO_1033............F.. .DISTLSTS.ICO_1033.......^.}..X.2g9f.KQM).D.....ip4P.@.j.a..%....@..d.v...&..U..t..].j..F.. .DOCS.ICO_1033..D.........F.P .ENVELOPR.DLL_1033.F..........F.. .EXITEM.CFG_1033.6..........F.. .EXITEML.ICO_1033..........}..t...p..mg.[QG,.D.....aw4P...j.a...?..

                            C:\MSOCache\All Users\{90160000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):4009499
                            Entropy (8bit):7.999809964829567
                            Encrypted:true
                            SSDEEP:
                            MD5:AF40559312DCC311014EC876740806E1
                            SHA1:DB7033F4303DE879A02F49CF874C684DDC7A99B7
                            SHA-256:90DC15961EED94E4C3E263A7835C043E47449211911706D6462BAE4A80B223D5
                            SHA-512:4AB7DF839831B7881377B89D4FDC125F29A603597AB426946C8B12A638DE5D2105761AE0D2D2D61BCFC27B92D4B425F08149DEC52A2E289FD61437A7FD114F8B
                            Malicious:true
                            Preview:0..;...5V.."....+U.>...\u5P..j.a}.8......@............t#d..j.....6..........F.. .ACTIVITL.ICO_1033.....6......F.. .ACTIVITS.ICO_1033............F.. .ACTIVITY.CFG_1033............F.. .APPT.C;..L..-5.C9"....oU.x....$d.H..).>L....H...PC5...P...@.$w7s.)._1033.@....&.....F.. .CNFNOT.CFG_1033.6....'.....F.. .CNFNOT.ICO_1033.R...+,.....F.. .CNFRES.CFG_1033.....}-.....F.. .CONFLICT.I>..L..-5.D9".1..oU.xNn...;z.E..D.':......9.@J..........!.7l*..).L.ICO_1033.....x@.....F.. .CONTACTS.ICO_1033.o....L.....F.. .CURRENCY.GIF_1033.$....c.....F.. .CURRENCY.HTM_1033......e.....F.. }..9..Wg.i~k.WN>\f.....:t4P..../A}.m..].n..x..%......Dd].j8F.P .DELIMR.FAE_1033.%..........F.. .DISTLIST.CFG_1033.6.........F.. .DISTLSTL.ICO_1033............F.. .DISTLSTS.ICO_1033.......^.}..X.2g9f.KQM).D.....ip4P.@.j.a..%....@..d.v...&..U..t..].j..F.. .DOCS.ICO_1033..D.........F.P .ENVELOPR.DLL_1033.F..........F.. .EXITEM.CFG_1033.6..........F.. .EXITEML.ICO_1033..........}..t...p..mg.[QG,.D.....aw4P...j.a...?..

                            C:\MSOCache\All Users\{90160000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2830650
                            Entropy (8bit):7.11015231966488
                            Encrypted:false
                            SSDEEP:
                            MD5:F71D0958366B6758D85E16E7865E3671
                            SHA1:4C8BF2A2A983841D99F594CCC8F2DAE4E9F37E37
                            SHA-256:D01C376CE05ABB6990128878AF27F8BC1A91AB370001C9D33A66D77DDB23E19E
                            SHA-512:E6F7C36690D0CA7FFCA92EC5D7837742F94DBC8629D6A736FF37555E352A50D7D67131A5672E5A1ABFBFCDADC35138F12AD58C62C8680E8B9279B33C7F3AFC77
                            Malicious:false
                            Preview:6...h....Z=P%q}.k5fP.....R;....C.=.w..y1h,g\f......9..oz...U....................................................................................................................................&.6.U......j...2|..Zo....GKG.V.(.B6.............=..].;.]v..................................................................................................................................&.6.U......j...2|..Zo....GKG.V.(.B6.............=..].;.]v.................................................................................................................................../.....Z=P%q}.k5fP.....V;?1...C.=.w..{1h,f\f......9..oj...U...................................................................................................................................../.....Z=P%q}.k5fP.....V;?1...C.=.w..{1h,f\f......9..oj...U...................................................................................................................................../.....Z=P%q}.k5fP.....V;?1...C.=.w..

                            C:\MSOCache\All Users\{90160000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2830650
                            Entropy (8bit):7.11015231966488
                            Encrypted:false
                            SSDEEP:
                            MD5:F71D0958366B6758D85E16E7865E3671
                            SHA1:4C8BF2A2A983841D99F594CCC8F2DAE4E9F37E37
                            SHA-256:D01C376CE05ABB6990128878AF27F8BC1A91AB370001C9D33A66D77DDB23E19E
                            SHA-512:E6F7C36690D0CA7FFCA92EC5D7837742F94DBC8629D6A736FF37555E352A50D7D67131A5672E5A1ABFBFCDADC35138F12AD58C62C8680E8B9279B33C7F3AFC77
                            Malicious:false
                            Preview:6...h....Z=P%q}.k5fP.....R;....C.=.w..y1h,g\f......9..oz...U....................................................................................................................................&.6.U......j...2|..Zo....GKG.V.(.B6.............=..].;.]v..................................................................................................................................&.6.U......j...2|..Zo....GKG.V.(.B6.............=..].;.]v.................................................................................................................................../.....Z=P%q}.k5fP.....V;?1...C.=.w..{1h,f\f......9..oj...U...................................................................................................................................../.....Z=P%q}.k5fP.....V;?1...C.=.w..{1h,f\f......9..oj...U...................................................................................................................................../.....Z=P%q}.k5fP.....V;?1...C.=.w..

                            C:\MSOCache\All Users\{90160000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):3151
                            Entropy (8bit):7.8215922793625206
                            Encrypted:false
                            SSDEEP:
                            MD5:B023DEA1554917AA94B749155F17F146
                            SHA1:95C2752986700E7272766F156D45410106EDB05C
                            SHA-256:E122AAB020E8A0238B2965536903604CCE9150D4B177F065B9F47454E3FA8F35
                            SHA-512:C725D1EB46C7B68F295E1B66748916476CD0D1ED62D453C1D30010C7E8D424DD88A799582A76B0D6C7DEBF4DA81E78C4DD76121EA8FB0174273032E983BE5079
                            Malicious:false
                            Preview:.^%..7.A.%k....9........)..8...].}...a.%.<.......z............8..E.v...t.2..z..m.... ...I..V.!.8.Y.i.z..*...)........4.....*-.._2...0.5..S..X.....y.c.."...;.../x'..*...?..5.....>.....8...'.}.~0....md.X...2..%.J7.[.H.O.N.p.W.*....u.....$B....<..r I...~.5..o..^...5../.I|.....!...2zC..-...........(...../.V....h.p..ta.O...38.<.Df.........lzl.);.............C.....W...{:^.$3.0..SZ.]....43.c..@.Z...)...}pl.A....5.......p......8..Z"m...e.*..X_.P..(3...oo.0...+.....&.Ao...>..3..........Qm..'A...|0.{..'......MJ........E...$./Ja..r...t..s....mB.....9..c=E..9e.'..&..........!.Kp...S.|.x.a.m..:.....e..........1<..v.A./k.'..y^.c..._Z.!.Rp.V.[.H.{..I|..!...z..z....$.......1..5^...E8....c_.Y...A<./.S?.F...`...(IK..;...6........}1....Uk..)|...pK.6..yx.Z...._;.9._>...........6.iF...?..2.....TN......8..sL..8h.-..rY.]..4.."..}.U.E.-.....?.V|...W..N.....2......`..b.H..'I.1..pC.[...ws.a.C,.....O.{..\i..=..>.......6?......)..&A...lG.1..5......_D.D./q.....,...

                            C:\MSOCache\All Users\{90160000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):3151
                            Entropy (8bit):7.8215922793625206
                            Encrypted:false
                            SSDEEP:
                            MD5:B023DEA1554917AA94B749155F17F146
                            SHA1:95C2752986700E7272766F156D45410106EDB05C
                            SHA-256:E122AAB020E8A0238B2965536903604CCE9150D4B177F065B9F47454E3FA8F35
                            SHA-512:C725D1EB46C7B68F295E1B66748916476CD0D1ED62D453C1D30010C7E8D424DD88A799582A76B0D6C7DEBF4DA81E78C4DD76121EA8FB0174273032E983BE5079
                            Malicious:false
                            Preview:.^%..7.A.%k....9........)..8...].}...a.%.<.......z............8..E.v...t.2..z..m.... ...I..V.!.8.Y.i.z..*...)........4.....*-.._2...0.5..S..X.....y.c.."...;.../x'..*...?..5.....>.....8...'.}.~0....md.X...2..%.J7.[.H.O.N.p.W.*....u.....$B....<..r I...~.5..o..^...5../.I|.....!...2zC..-...........(...../.V....h.p..ta.O...38.<.Df.........lzl.);.............C.....W...{:^.$3.0..SZ.]....43.c..@.Z...)...}pl.A....5.......p......8..Z"m...e.*..X_.P..(3...oo.0...+.....&.Ao...>..3..........Qm..'A...|0.{..'......MJ........E...$./Ja..r...t..s....mB.....9..c=E..9e.'..&..........!.Kp...S.|.x.a.m..:.....e..........1<..v.A./k.'..y^.c..._Z.!.Rp.V.[.H.{..I|..!...z..z....$.......1..5^...E8....c_.Y...A<./.S?.F...`...(IK..;...6........}1....Uk..)|...pK.6..yx.Z...._;.9._>...........6.iF...?..2.....TN......8..sL..8h.-..rY.]..4.."..}.U.E.-.....?.V|...W..N.....2......`..b.H..'I.1..pC.[...ws.a.C,.....O.{..\i..=..>.......6?......)..&A...lG.1..5......_D.D./q.....,...

                            C:\MSOCache\All Users\{90160000-001A-0409-0000-0000000FF1CE}-C\Setup.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):4184
                            Entropy (8bit):7.855392584606368
                            Encrypted:false
                            SSDEEP:
                            MD5:A18649A849F7A26FC449D9A9DBA4BFFD
                            SHA1:05006DD9DB50314A981B2F7B5DB1D3960C35A7AF
                            SHA-256:0F6F2A09E0A780D653B45F1B2FBAF09A3A626C3214302F308C948E9665A677DA
                            SHA-512:2417766BD1E0B7FCFE8904BFE5D26261A0FF3D77339AC1B870C37014EEFFD2EFAF3A4EC0B2FD18E4106187E9394210CD887E673B0C15077A552DAD0DAAC74318
                            Malicious:false
                            Preview:0.S_...^..B4..)h.c...3K%..!.N.@-..>l..p.{.;:Z.2..(X!.H...F.:..o.|Y.m.I..[*...k ......p.L)..T.cv.3<.8.=...X.7...(].i..7#....{.Ft.s,J..R0...w.V....if......v.Up..ib....0. .%.7..H"r.s........|.C.../k...?...U!E+..hOs.J...y..-...X..a...-0(....OW^.qd..;. ..E.`t.K!^..Jt...Z!b....f..!!..V.UW.Ke..t.=...f....NQ"....>..?..:.Gk.."J..m4.../.G'...J...<..w.U4.b0..x...W\W....MRE.S...0....h.CY.s#...f/...`.`....o,.Fk.6..S.t".(.t...y.....;.Kr....3.M.O}..Ip..\4..:.A5..;i..Yf..W.Sr..#7..9.t.i}..(....x.q4.f2.!....EA.[.W...{...y3X5..$A|.7)..W..D.`>..;.4...a.E...G6.Q#.(..!..z.YF.I....N(...q"P$..)A2.Tx.2.ip.n<.(.t...x.8..?.{.V4.%..t..i.JG.N:O..Nf...{'Xc...#E-..1..H.Ht..x7..l.?...y......d.Q#.yQ.3..,.BV._....N(....L=}..9K/.2".k.Id.u...).t. .s....(.w.]m....7..,.BA.V.T..I(...%dM$....M2..*..z.Pe.h!..n.9.Zz..n......Vp. N....@.dy.S.^.......m*@...5.c..%....bi.m>....%...(...[!..Y<.+..2..~.BA..KU...V....z{1..>...Fd..O.Io.d>..%.3.FWQ......E.Y$.yQ.9..c.{S._.O..o2...t)C....>P|..#....Os.m=..

                            C:\MSOCache\All Users\{90160000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):4184
                            Entropy (8bit):7.855392584606368
                            Encrypted:false
                            SSDEEP:
                            MD5:A18649A849F7A26FC449D9A9DBA4BFFD
                            SHA1:05006DD9DB50314A981B2F7B5DB1D3960C35A7AF
                            SHA-256:0F6F2A09E0A780D653B45F1B2FBAF09A3A626C3214302F308C948E9665A677DA
                            SHA-512:2417766BD1E0B7FCFE8904BFE5D26261A0FF3D77339AC1B870C37014EEFFD2EFAF3A4EC0B2FD18E4106187E9394210CD887E673B0C15077A552DAD0DAAC74318
                            Malicious:false
                            Preview:0.S_...^..B4..)h.c...3K%..!.N.@-..>l..p.{.;:Z.2..(X!.H...F.:..o.|Y.m.I..[*...k ......p.L)..T.cv.3<.8.=...X.7...(].i..7#....{.Ft.s,J..R0...w.V....if......v.Up..ib....0. .%.7..H"r.s........|.C.../k...?...U!E+..hOs.J...y..-...X..a...-0(....OW^.qd..;. ..E.`t.K!^..Jt...Z!b....f..!!..V.UW.Ke..t.=...f....NQ"....>..?..:.Gk.."J..m4.../.G'...J...<..w.U4.b0..x...W\W....MRE.S...0....h.CY.s#...f/...`.`....o,.Fk.6..S.t".(.t...y.....;.Kr....3.M.O}..Ip..\4..:.A5..;i..Yf..W.Sr..#7..9.t.i}..(....x.q4.f2.!....EA.[.W...{...y3X5..$A|.7)..W..D.`>..;.4...a.E...G6.Q#.(..!..z.YF.I....N(...q"P$..)A2.Tx.2.ip.n<.(.t...x.8..?.{.V4.%..t..i.JG.N:O..Nf...{'Xc...#E-..1..H.Ht..x7..l.?...y......d.Q#.yQ.3..,.BV._....N(....L=}..9K/.2".k.Id.u...).t. .s....(.w.]m....7..,.BA.V.T..I(...%dM$....M2..*..z.Pe.h!..n.9.Zz..n......Vp. N....@.dy.S.^.......m*@...5.c..%....bi.m>....%...(...[!..Y<.+..2..~.BA..KU...V....z{1..>...Fd..O.Io.d>..%.3.FWQ......E.Y$.yQ.9..c.{S._.O..o2...t)C....>P|..#....Os.m=..

                            C:\MSOCache\All Users\{90160000-001A-0409-0000-0000000FF1CE}-C\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\MSOCache\All Users\{90160000-001B-0409-0000-0000000FF1CE}-C\Setup.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):3086
                            Entropy (8bit):7.831666533764893
                            Encrypted:false
                            SSDEEP:
                            MD5:C9B2FF88EA40365BC09426D33A7D57E6
                            SHA1:F9E271BF6038E2081544A50250CFCD447DA16556
                            SHA-256:490774D14098A359EB4E3CE59FEE932F376AE4159A7F5765260766C34F1A5E98
                            SHA-512:89F550167EA4E201FC085D74FE9DE878F3198552B9AF98D129C5FBFDA585CC6ED704B70B5516F5513E45D0785B3B03596682A64B36A5723974E3161CC70D946D
                            Malicious:false
                            Preview:.`..`...VMmq......V..<...n...`..-U.....g....=.'..4....*.?Zz*.%..8....V.Uu..{...^..........?..X(....);..1.!q.(B.V.....e.....j....Mcm....i....W..5..,....5..>Y.....r6.....}..Y...4..!dT.>..{.....SDZ..Y...A.....2>...;..1g......8...<?=;.%Q.?.K..;Q.....4.....Ha-...........1....R..Z-.....=...9#....t...1.#.&..(.._...ciq)..V...........4...e..^.......:...P.+...L.....?.,6.p..9....U.Ix...D....i..3..U~...:..{...........%_=.d......J"p..1..G....W@?=..J......4...6...h.|H.....:...H..u..Y.......`..3......DQnk..Z....W..4.<:...j..N......3....,".).*Z.'.....}..b.i...L@fz...W......Q...'...&..2H.........%...2T.F.....x..+..i...FEn=...]...O..+...n...u..K..........".-.dL...[...p..b.i....(..#...G....\.....&...o..|H....&.....Oj.)V...[...u..0..n......{z..j....T......!...c..a......v>...%R..{..).?...q.....j....vPck...b......1...?...d..a..........$...0P.....UAz..a.......UPkp...J..J..1...<...v..I...../......).#.. .....D..:......DHnp..].....z... ...i..k....

                            C:\MSOCache\All Users\{90160000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):3086
                            Entropy (8bit):7.831666533764893
                            Encrypted:false
                            SSDEEP:
                            MD5:C9B2FF88EA40365BC09426D33A7D57E6
                            SHA1:F9E271BF6038E2081544A50250CFCD447DA16556
                            SHA-256:490774D14098A359EB4E3CE59FEE932F376AE4159A7F5765260766C34F1A5E98
                            SHA-512:89F550167EA4E201FC085D74FE9DE878F3198552B9AF98D129C5FBFDA585CC6ED704B70B5516F5513E45D0785B3B03596682A64B36A5723974E3161CC70D946D
                            Malicious:false
                            Preview:.`..`...VMmq......V..<...n...`..-U.....g....=.'..4....*.?Zz*.%..8....V.Uu..{...^..........?..X(....);..1.!q.(B.V.....e.....j....Mcm....i....W..5..,....5..>Y.....r6.....}..Y...4..!dT.>..{.....SDZ..Y...A.....2>...;..1g......8...<?=;.%Q.?.K..;Q.....4.....Ha-...........1....R..Z-.....=...9#....t...1.#.&..(.._...ciq)..V...........4...e..^.......:...P.+...L.....?.,6.p..9....U.Ix...D....i..3..U~...:..{...........%_=.d......J"p..1..G....W@?=..J......4...6...h.|H.....:...H..u..Y.......`..3......DQnk..Z....W..4.<:...j..N......3....,".).*Z.'.....}..b.i...L@fz...W......Q...'...&..2H.........%...2T.F.....x..+..i...FEn=...]...O..+...n...u..K..........".-.dL...[...p..b.i....(..#...G....\.....&...o..|H....&.....Oj.)V...[...u..0..n......{z..j....T......!...c..a......v>...%R..{..).?...q.....j....vPck...b......1...?...d..a..........$...0P.....UAz..a.......UPkp...J..J..1...<...v..I...../......).#.. .....D..:......DHnp..].....z... ...i..k....

                            C:\MSOCache\All Users\{90160000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):10080047
                            Entropy (8bit):7.999121789035516
                            Encrypted:true
                            SSDEEP:
                            MD5:D59BABCAA7FFF0E85102F3EDFC9A5EA3
                            SHA1:C75F79E77636475DA4B5D8644BDEC046F56B7A91
                            SHA-256:E13475CF353DA2E26E5FFF9685C4599DB66004B89239668864251119A4015DCE
                            SHA-512:8539D401C529E7CC59D52A3877F285157BC7E004C222C85C7EC68EC5858AC3225A937B25473B29E56C95E86E9F45ADC2ED26CC8CC52E38F680D680AA7FF2B9A2
                            Malicious:true
                            Preview:.-....*.^....3P.....N7...!2..%Fm..=.n..t..C..r)t/...K&....U..;.................F.. .ADJACENCYLETTER.DOTX_1033...6........F.. .ADJACENCYREPORT.DOTX_1033......:....F.. .ADJACENCYRESUME.DOTX_103.~.5.../.<...u.....@.c...aa..`.9....5MZ+*.`8.b.w..,.K&.h..]..r.RTHECARYNEWSLETTER.DOTX_1033..`....C....F.. .APOTHECARYRESUME.DOTX_1033.Q/....F....F.. .BASICELEGANT.DOTX_1033../...)G....F.. .BA.7....z......k..'..[....xt..%.+....8XQ=X..RA..<!.F..y..8UTz2...G....F.. .BIBFORM.XML_1033../...:I....F.. .BWCAPITALIZED.DOTX_1033......iI....F.. .BWCLASSIC.DOTX_1033.64....I....F.. .BWNUMBER.:....r.....H....|YN7.../(..f.>.q.>VV,D.c8>.4[..Qy.&...MZ..3.XNTERED.DOTX_1033......+J....F.P .CHART.XLSRVINTL.DLL_1033.p....$M....F.. .CHRONOLOGICALLETTER.DOTX_1033.......N....F.. .CHRONOLO.7....o..q..|...%.#}7}.. ...%BmF.2.Z.A8Z..BN..;[.V.{...$U..q.....F.. .DEFAULT.DOTX_1033..8.wqO....F.. .DOCUMENT_PARTS.DOT_1033.6...>......F.. .ESSENTIALLETTER.DOTX_1033....t.....F.. .ESSE.*....o..n..|...%.#}7.. n.)%BmG...Z.G'

                            C:\MSOCache\All Users\{90160000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):10080047
                            Entropy (8bit):7.999121789035516
                            Encrypted:true
                            SSDEEP:
                            MD5:D59BABCAA7FFF0E85102F3EDFC9A5EA3
                            SHA1:C75F79E77636475DA4B5D8644BDEC046F56B7A91
                            SHA-256:E13475CF353DA2E26E5FFF9685C4599DB66004B89239668864251119A4015DCE
                            SHA-512:8539D401C529E7CC59D52A3877F285157BC7E004C222C85C7EC68EC5858AC3225A937B25473B29E56C95E86E9F45ADC2ED26CC8CC52E38F680D680AA7FF2B9A2
                            Malicious:true
                            Preview:.-....*.^....3P.....N7...!2..%Fm..=.n..t..C..r)t/...K&....U..;.................F.. .ADJACENCYLETTER.DOTX_1033...6........F.. .ADJACENCYREPORT.DOTX_1033......:....F.. .ADJACENCYRESUME.DOTX_103.~.5.../.<...u.....@.c...aa..`.9....5MZ+*.`8.b.w..,.K&.h..]..r.RTHECARYNEWSLETTER.DOTX_1033..`....C....F.. .APOTHECARYRESUME.DOTX_1033.Q/....F....F.. .BASICELEGANT.DOTX_1033../...)G....F.. .BA.7....z......k..'..[....xt..%.+....8XQ=X..RA..<!.F..y..8UTz2...G....F.. .BIBFORM.XML_1033../...:I....F.. .BWCAPITALIZED.DOTX_1033......iI....F.. .BWCLASSIC.DOTX_1033.64....I....F.. .BWNUMBER.:....r.....H....|YN7.../(..f.>.q.>VV,D.c8>.4[..Qy.&...MZ..3.XNTERED.DOTX_1033......+J....F.P .CHART.XLSRVINTL.DLL_1033.p....$M....F.. .CHRONOLOGICALLETTER.DOTX_1033.......N....F.. .CHRONOLO.7....o..q..|...%.#}7}.. ...%BmF.2.Z.A8Z..BN..;[.V.{...$U..q.....F.. .DEFAULT.DOTX_1033..8.wqO....F.. .DOCUMENT_PARTS.DOT_1033.6...>......F.. .ESSENTIALLETTER.DOTX_1033....t.....F.. .ESSE.*....o..n..|...%.#}7.. n.)%BmG...Z.G'

                            C:\MSOCache\All Users\{90160000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2404666
                            Entropy (8bit):7.119635899619627
                            Encrypted:false
                            SSDEEP:
                            MD5:6CA448FA970E0E1AAA1786539B0C4A74
                            SHA1:4CDEA6817C72421B21A0FEF5CCD8584370FAB86F
                            SHA-256:B29D0C4067E7322E5F60C21007011B549D1EC8B499A5D51CBBB9C696CE4C18B3
                            SHA-512:07B72FD03356C222C9E04ADB22B295CB856AEC8069DA7BF64CFD2863FC1BBF17E3C70B1A90FE898A180A2B0BE4E137F68AFD48A3D2AE6E46FE18FCD872F34D57
                            Malicious:false
                            Preview:^.`.b...x ...`...$.ch'Q........T...(/...w9.t*v..Q.N........+.-................................................................................................................................q>..<......7.tK.x.......%<..:...../..zSI..8..`w...fEiy.vR]...................................................................................................................................q>..<......7.tK.x.......%<..:...../..zSI..8..`w...fEiy.vR].....................................................................................................................................q..p.#x ...`...$.ch'Q4...T....T...(/...w9.t*v..Q.N........+.-..................................................................................................................................q..p.#x ...`...$.ch'Q4...T....T...(/...w9.t*v..Q.N........+.-..................................................................................................................................q..p.#x ...`...$.ch'Q4...T....T...(/.

                            C:\MSOCache\All Users\{90160000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2404666
                            Entropy (8bit):7.119635899619627
                            Encrypted:false
                            SSDEEP:
                            MD5:6CA448FA970E0E1AAA1786539B0C4A74
                            SHA1:4CDEA6817C72421B21A0FEF5CCD8584370FAB86F
                            SHA-256:B29D0C4067E7322E5F60C21007011B549D1EC8B499A5D51CBBB9C696CE4C18B3
                            SHA-512:07B72FD03356C222C9E04ADB22B295CB856AEC8069DA7BF64CFD2863FC1BBF17E3C70B1A90FE898A180A2B0BE4E137F68AFD48A3D2AE6E46FE18FCD872F34D57
                            Malicious:false
                            Preview:^.`.b...x ...`...$.ch'Q........T...(/...w9.t*v..Q.N........+.-................................................................................................................................q>..<......7.tK.x.......%<..:...../..zSI..8..`w...fEiy.vR]...................................................................................................................................q>..<......7.tK.x.......%<..:...../..zSI..8..`w...fEiy.vR].....................................................................................................................................q..p.#x ...`...$.ch'Q4...T....T...(/...w9.t*v..Q.N........+.-..................................................................................................................................q..p.#x ...`...$.ch'Q4...T....T...(/...w9.t*v..Q.N........+.-..................................................................................................................................q..p.#x ...`...$.ch'Q4...T....T...(/.

                            C:\MSOCache\All Users\{90160000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2422
                            Entropy (8bit):7.806574624046372
                            Encrypted:false
                            SSDEEP:
                            MD5:ACCA347585DBBA663DB4760FCA500809
                            SHA1:78043BA2DD4FA5AFC4F9C63654DCC3828453EB29
                            SHA-256:E6E998E33490E5EF557E19EE7B8782B757FA4279EF87ED3ED71D7DE48E41D143
                            SHA-512:8B1E589C76B9EEF51BAECD19F70A52E687C8F50F71D73ABBC194600741DEE129BF596755389C4ED1F28705DE807740F190FB4D6C99148F3C5A5BD7C66133EA88
                            Malicious:false
                            Preview:..4..)9.....F.B..r!8...*s....dWT>%..h......_.B..U.".O.........n2.....H.:...b58..5......n..$l..*.......t.^'.9.H.8..}.......o.&.....=.\...'"7...tX.....U.-*(..0....3.].^....q.D...\...n.^p........F..........*....?WA"...C......i.x..".M.n...~......s;........&... |c..+y....O2'nq.W.....k.Y%...c."..c.......o.........4... <.....|.....:7.~)........6.".y6.C.X./..G......n...._..4.6....)e..4 .....>*..q..........i.C..F.g.b...e............,......j....cK....lGN-4..B....1.X.j6.J.0.&.........t..oe..[.V.C..bt.....`.....T..os._...|.).8}.X.8.7.U....>.K89..Z.H.S...&"9...ae....sPZ.........o.V.a....h.{..P........E/9.....$.C..r.9...a-....F#ln.......6.9.b$...@.d..].....S..p........~...!7...&=...g..lY....... .r.k .H.f.c.........P.e/(.......:...(!....s....g.N3$..k....&.i.0^.a.O.v..T.....!.O3............<0:...p......vGN--..U..._...2....f.E..x....8.Y.2.......Q..XMj.."i...sPZ.........o.L.\....{.s.T...h..l~.....F.B..ctn...I......k..N...+

                            C:\MSOCache\All Users\{90160000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2422
                            Entropy (8bit):7.806574624046372
                            Encrypted:false
                            SSDEEP:
                            MD5:ACCA347585DBBA663DB4760FCA500809
                            SHA1:78043BA2DD4FA5AFC4F9C63654DCC3828453EB29
                            SHA-256:E6E998E33490E5EF557E19EE7B8782B757FA4279EF87ED3ED71D7DE48E41D143
                            SHA-512:8B1E589C76B9EEF51BAECD19F70A52E687C8F50F71D73ABBC194600741DEE129BF596755389C4ED1F28705DE807740F190FB4D6C99148F3C5A5BD7C66133EA88
                            Malicious:false
                            Preview:..4..)9.....F.B..r!8...*s....dWT>%..h......_.B..U.".O.........n2.....H.:...b58..5......n..$l..*.......t.^'.9.H.8..}.......o.&.....=.\...'"7...tX.....U.-*(..0....3.].^....q.D...\...n.^p........F..........*....?WA"...C......i.x..".M.n...~......s;........&... |c..+y....O2'nq.W.....k.Y%...c."..c.......o.........4... <.....|.....:7.~)........6.".y6.C.X./..G......n...._..4.6....)e..4 .....>*..q..........i.C..F.g.b...e............,......j....cK....lGN-4..B....1.X.j6.J.0.&.........t..oe..[.V.C..bt.....`.....T..os._...|.).8}.X.8.7.U....>.K89..Z.H.S...&"9...ae....sPZ.........o.V.a....h.{..P........E/9.....$.C..r.9...a-....F#ln.......6.9.b$...@.d..].....S..p........~...!7...&=...g..lY....... .r.k .H.f.c.........P.e/(.......:...(!....s....g.N3$..k....&.i.0^.a.O.v..T.....!.O3............<0:...p......vGN--..U..._...2....f.E..x....8.Y.2.......Q..XMj.."i...sPZ.........o.L.\....{.s.T...h..l~.....F.B..ctn...I......k..N...+

                            C:\MSOCache\All Users\{90160000-001B-0409-0000-0000000FF1CE}-C\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:true
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\MSOCache\All Users\{90160000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1061178
                            Entropy (8bit):7.067253408762128
                            Encrypted:false
                            SSDEEP:
                            MD5:04EDED780CED2D690A2AED977FD9E877
                            SHA1:FB9C32FFDBB75F5D1978EF18FFAE439D427E6784
                            SHA-256:73E1BBC11EE3D2E1D11CBE912540F83892F64CD561F2AA6192BDC0181A062862
                            SHA-512:BA600D0EA065262F132EA9DB49453A1029C635062F8C97DD348ACF10DD295C80A40E846815743BFB113AF6F69B051DDC8E59F347E71E60378FA4EBB61CF4D99E
                            Malicious:false
                            Preview:....@9..e.7.".....[...Zp..g_.|i....=.......BWT)1....pM..#a........................................................................................................................................w~....I...|.W.H.~..~l...|.[.4.O.z~g!KDt.t.....1.,:..OV.8.......................................................................................................................................w~....I...|.W.H.~..~l...|.[.4.O.z~g!KDt.t.....1.,:..OV.8..................................................................................................................................|8...Be.7.".....[...Zp..c_..e....=.......BWU)1....pM..#c...................................................................................................................................|8...Be.7.".....[...Zp..c_..e....=.......BWU)1....pM..#c...................................................................................................................................|8...Be.7.".....[...Zp..c_..e....=...

                            C:\MSOCache\All Users\{90160000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1061178
                            Entropy (8bit):7.067253408762128
                            Encrypted:false
                            SSDEEP:
                            MD5:04EDED780CED2D690A2AED977FD9E877
                            SHA1:FB9C32FFDBB75F5D1978EF18FFAE439D427E6784
                            SHA-256:73E1BBC11EE3D2E1D11CBE912540F83892F64CD561F2AA6192BDC0181A062862
                            SHA-512:BA600D0EA065262F132EA9DB49453A1029C635062F8C97DD348ACF10DD295C80A40E846815743BFB113AF6F69B051DDC8E59F347E71E60378FA4EBB61CF4D99E
                            Malicious:false
                            Preview:....@9..e.7.".....[...Zp..g_.|i....=.......BWT)1....pM..#a........................................................................................................................................w~....I...|.W.H.~..~l...|.[.4.O.z~g!KDt.t.....1.,:..OV.8.......................................................................................................................................w~....I...|.W.H.~..~l...|.[.4.O.z~g!KDt.t.....1.,:..OV.8..................................................................................................................................|8...Be.7.".....[...Zp..c_..e....=.......BWU)1....pM..#c...................................................................................................................................|8...Be.7.".....[...Zp..c_..e....=.......BWU)1....pM..#c...................................................................................................................................|8...Be.7.".....[...Zp..c_..e....=...

                            C:\MSOCache\All Users\{90160000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:OpenPGP Secret Key
                            Category:dropped
                            Size (bytes):1338
                            Entropy (8bit):7.599982589525571
                            Encrypted:false
                            SSDEEP:
                            MD5:A31FD34218D861A805110097508FD454
                            SHA1:75AB217EADCBBACF0B1A61796D90885B5CAB8CB8
                            SHA-256:F6B3A0FEA45E7997BAA14B807155FC01D89625C717C319F01CCFE31AE00515DC
                            SHA-512:429645A495687C4CFAF43A789860D1A23907C52F126AAC86551C81A75AA781E939D541A4B484474F0D1CD3B6E17D2E2239A5391BCB7D97B243799DA7D94A442F
                            Malicious:false
                            Preview:.l..Oo..o.......Z\.....R...Z....E....S...~...9x3..B?d.D..*.;.w...Q.......".......r..............3....q...'.#..4YEd~.#....v9.sx..E..."/.....Ys....[....L....M...C....|..8<\.Z..!.e..U..'/.. ....."(......a.......q....!....X.........[Ia%..(....g...z..&.....@-...9]....F.........6....^.........SO.b....=......j..-.....K......O....t....K........n....?...7LM.b......[*..R./F....:......O..................U...."T..\|]p0....n..p..kM...H...........P.....U..J.........Y.... G..H9.d ..V.c..`b..-..GE...HL.....1p....o........\.....\kK..@+..b....'..M(.*z..UD...(.....O..........=.............0....OG>u.F.<...m.}%..z............;Q...K................Vj<...|\7...o....W:..=..JW...........V....O.................6...A+._...Z.#..L!..{..H.............P....1....=.........3....1...Q@Jo2....#..M;.$q...3....X?.....D...5..................$....zZ3|....|..)F.d[........q@............{....$.........[..J....L+.p...o.o..W&.%O..W<............T....H..v..

                            C:\MSOCache\All Users\{90160000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:OpenPGP Secret Key
                            Category:dropped
                            Size (bytes):1338
                            Entropy (8bit):7.599982589525571
                            Encrypted:false
                            SSDEEP:
                            MD5:A31FD34218D861A805110097508FD454
                            SHA1:75AB217EADCBBACF0B1A61796D90885B5CAB8CB8
                            SHA-256:F6B3A0FEA45E7997BAA14B807155FC01D89625C717C319F01CCFE31AE00515DC
                            SHA-512:429645A495687C4CFAF43A789860D1A23907C52F126AAC86551C81A75AA781E939D541A4B484474F0D1CD3B6E17D2E2239A5391BCB7D97B243799DA7D94A442F
                            Malicious:false
                            Preview:.l..Oo..o.......Z\.....R...Z....E....S...~...9x3..B?d.D..*.;.w...Q.......".......r..............3....q...'.#..4YEd~.#....v9.sx..E..."/.....Ys....[....L....M...C....|..8<\.Z..!.e..U..'/.. ....."(......a.......q....!....X.........[Ia%..(....g...z..&.....@-...9]....F.........6....^.........SO.b....=......j..-.....K......O....t....K........n....?...7LM.b......[*..R./F....:......O..................U...."T..\|]p0....n..p..kM...H...........P.....U..J.........Y.... G..H9.d ..V.c..`b..-..GE...HL.....1p....o........\.....\kK..@+..b....'..M(.*z..UD...(.....O..........=.............0....OG>u.F.<...m.}%..z............;Q...K................Vj<...|\7...o....W:..=..JW...........V....O.................6...A+._...Z.#..L!..{..H.............P....1....=.........3....1...Q@Jo2....#..M;.$q...3....X?.....D...5..................$....zZ3|....|..)F.d[........q@............{....$.........[..J....L+.p...o.o..W&.%O..W<............T....H..v..

                            C:\MSOCache\All Users\{90160000-002C-0409-0000-0000000FF1CE}-C\Setup.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):6381
                            Entropy (8bit):6.964907921570851
                            Encrypted:false
                            SSDEEP:
                            MD5:49C7340EEEF938604BD8DDB3A48A1F94
                            SHA1:57F7C203078D69C9D0237ECF12AC4748450B473E
                            SHA-256:B3727301DA790137B597826902BC07FB9C389BC2490757EA7BA0A821083A9654
                            SHA-512:070CD78169FF39F1A9D8FB708FC1105CB0BF91EE806DF3F4AED49487D27C483E4715320FCF8CF07009ECCAB5B911391698D064BE3CE5CCCD3A2D503DA18C5920
                            Malicious:false
                            Preview:..bh.|...0..S..j+o...F...6...S.mZ.v."...8.>......o..R.z....nUrh4zfOhAXu2dmPJCbN9UmOU+lUqcy4R0mUOC0tbze4r4JRogbF600syyUPsEf4+wSe0yKVn6avR88AlLKNSsNyibqZG/SZfQx+D8fsIGp3+vGZkZsVMjBJhgpEQP4F..Y}..=........Vck+....f\..S...S.qh.G.3.....L..u..bq..w..M....//GBoAyiIbQA29X2CrOi7d22vp8rl43O5cUUSn2D3IeOcVqZ2WksQj9FraBEpLUmo/VBfAaM2Eesg2kfui5gmljnP/aTRO6mLqaW2/sRocxpPo3c6ZPuXulqvEL58LEg..o}..y....._..~7b9...R:R.&...-.;..[.z........-..EX.k..]..."AddOn" Keyword="Proofing" Culture="en-us">...<Option Id="AlwaysInstalled" DefaultState="Local" DisallowAbsent="yes" DisallowAdv..nl..7..*..&..[?gr.....DQ....... ..2.#........-..MW..\..h....faultState="Local" DisallowAbsent="yes" DisallowAdvertise="yes" Hidden="yes"/>...<Option Id="ProductFiles" DefaultState="Local" ..id..e...*....F?zm....C...|....&..F.p.j.x.....IY..Q..+....EDFiles" DefaultState="Local" DisallowAbsent="no" DisallowAdvertise="no">.....<Option Id="ProofingTools" DefaultState="Local" Di..vi..K...7..L...zM&...M...}....rG...

                            C:\MSOCache\All Users\{90160000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):6381
                            Entropy (8bit):6.964907921570851
                            Encrypted:false
                            SSDEEP:
                            MD5:49C7340EEEF938604BD8DDB3A48A1F94
                            SHA1:57F7C203078D69C9D0237ECF12AC4748450B473E
                            SHA-256:B3727301DA790137B597826902BC07FB9C389BC2490757EA7BA0A821083A9654
                            SHA-512:070CD78169FF39F1A9D8FB708FC1105CB0BF91EE806DF3F4AED49487D27C483E4715320FCF8CF07009ECCAB5B911391698D064BE3CE5CCCD3A2D503DA18C5920
                            Malicious:false
                            Preview:..bh.|...0..S..j+o...F...6...S.mZ.v."...8.>......o..R.z....nUrh4zfOhAXu2dmPJCbN9UmOU+lUqcy4R0mUOC0tbze4r4JRogbF600syyUPsEf4+wSe0yKVn6avR88AlLKNSsNyibqZG/SZfQx+D8fsIGp3+vGZkZsVMjBJhgpEQP4F..Y}..=........Vck+....f\..S...S.qh.G.3.....L..u..bq..w..M....//GBoAyiIbQA29X2CrOi7d22vp8rl43O5cUUSn2D3IeOcVqZ2WksQj9FraBEpLUmo/VBfAaM2Eesg2kfui5gmljnP/aTRO6mLqaW2/sRocxpPo3c6ZPuXulqvEL58LEg..o}..y....._..~7b9...R:R.&...-.;..[.z........-..EX.k..]..."AddOn" Keyword="Proofing" Culture="en-us">...<Option Id="AlwaysInstalled" DefaultState="Local" DisallowAbsent="yes" DisallowAdv..nl..7..*..&..[?gr.....DQ....... ..2.#........-..MW..\..h....faultState="Local" DisallowAbsent="yes" DisallowAdvertise="yes" Hidden="yes"/>...<Option Id="ProductFiles" DefaultState="Local" ..id..e...*....F?zm....C...|....&..F.p.j.x.....IY..Q..+....EDFiles" DefaultState="Local" DisallowAbsent="no" DisallowAdvertise="no">.....<Option Id="ProofingTools" DefaultState="Local" Di..vi..K...7..L...zM&...M...}....rG...

                            C:\MSOCache\All Users\{90160000-002C-0409-0000-0000000FF1CE}-C\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:true
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\MSOCache\All Users\{90160000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):3911964
                            Entropy (8bit):7.999825451372041
                            Encrypted:true
                            SSDEEP:
                            MD5:A25A3023942AE336CC7219D5B8975753
                            SHA1:57BD302252A7535D2E163CACFBB9A83A83748582
                            SHA-256:59614002E536157338933E3EA0FE3B8292322C648780514CCA045B225110DA9D
                            SHA-512:DA8EE68B9F0F5BDEF4713354217C32065C42933549FE46F98B4AFAA51365423AE4D1E0BC0C6478C706108564D20670E28377EC27810F36E19746294BC023274D
                            Malicious:true
                            Preview:....u[(#..2)'..OIF..8.;.6t-([.../w... .$.f.h.).s.TC........`.Rg....0...............bd.......B.........FPO .CONTACTPICKERINTL.DLL_1033......B.....F.. .INFOPATH.HXS_1033............F.. .INFOPAT..9u`{:.8......F..7.;.5.o,P-.\a1DB.t.{.).Fb..,.Yp........`..R.F.. .INFOPATH_F_COL.HXK_1033.q..........F.. .INFOPATH_K_COL.HXK_1033..2..q......F.. .INFOPATHEDITOR.HXS_1033.....i3.....F.. .INF....=.lj-.[vd..a].E.....5.)(K.../u...$.../..e..'.,........NR..81033.r..........F.. .INFOPATHEDITOR_F_COL.HXK_1033.q..........F.. .INFOPATHEDITOR_K_COL.HXK_1033............F.. .IPATHDSG.XML_10..'W(...*'`.K.f..h.w.b'y..@.J.G8!...'...}*X..mX.......2^..*L_1033..7..@......F.. .IPXMLPOL.XML_1033.".4..T!....F.. .XMLSDK5.CHM_1033.L...d...[.... .&uU.P..#Q.f...O.j..!!"..*.rv..TZ;).v.i....+Q....+=#o}6_Q).........M../.....+._.?....}.._...c..m.S.....aH..l.r_..;..nT.h.:.-.}..N.V^...xF.g..........'..}..(..@............dn..HD.....&.......5 ..U........c..|".....8.._...^..?.h&.c`{.{."cc@=..T.$.a....3...6!_.....s

                            C:\MSOCache\All Users\{90160000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):3911964
                            Entropy (8bit):7.999825451372041
                            Encrypted:true
                            SSDEEP:
                            MD5:A25A3023942AE336CC7219D5B8975753
                            SHA1:57BD302252A7535D2E163CACFBB9A83A83748582
                            SHA-256:59614002E536157338933E3EA0FE3B8292322C648780514CCA045B225110DA9D
                            SHA-512:DA8EE68B9F0F5BDEF4713354217C32065C42933549FE46F98B4AFAA51365423AE4D1E0BC0C6478C706108564D20670E28377EC27810F36E19746294BC023274D
                            Malicious:true
                            Preview:....u[(#..2)'..OIF..8.;.6t-([.../w... .$.f.h.).s.TC........`.Rg....0...............bd.......B.........FPO .CONTACTPICKERINTL.DLL_1033......B.....F.. .INFOPATH.HXS_1033............F.. .INFOPAT..9u`{:.8......F..7.;.5.o,P-.\a1DB.t.{.).Fb..,.Yp........`..R.F.. .INFOPATH_F_COL.HXK_1033.q..........F.. .INFOPATH_K_COL.HXK_1033..2..q......F.. .INFOPATHEDITOR.HXS_1033.....i3.....F.. .INF....=.lj-.[vd..a].E.....5.)(K.../u...$.../..e..'.,........NR..81033.r..........F.. .INFOPATHEDITOR_F_COL.HXK_1033.q..........F.. .INFOPATHEDITOR_K_COL.HXK_1033............F.. .IPATHDSG.XML_10..'W(...*'`.K.f..h.w.b'y..@.J.G8!...'...}*X..mX.......2^..*L_1033..7..@......F.. .IPXMLPOL.XML_1033.".4..T!....F.. .XMLSDK5.CHM_1033.L...d...[.... .&uU.P..#Q.f...O.j..!!"..*.rv..TZ;).v.i....+Q....+=#o}6_Q).........M../.....+._.?....}.._...c..m.S.....aH..l.r_..;..nT.h.:.-.}..N.V^...xF.g..........'..}..(..@............dn..HD.....&.......5 ..U........c..|".....8.._...^..?.h&.c`{.{."cc@=..T.$.a....3...6!_.....s

                            C:\MSOCache\All Users\{90160000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2384186
                            Entropy (8bit):7.107434701094617
                            Encrypted:false
                            SSDEEP:
                            MD5:374FD4630788C034DAD3010C111BC324
                            SHA1:A49D41FA65ACD16D8707A193C40499BB9076E628
                            SHA-256:310F8C7C806E26254F0CE6D06E1AFF6FE78EBEDF300DF4BB4606E83097D5454A
                            SHA-512:558CAEE1C3FA5A9313B9270B341C611661B805A12E8FB5694042F53508FA0205B2102D232D458873F5FF7D82CC814B6FEE27674BF62908F4E7571726FC58D1BA
                            Malicious:false
                            Preview:uv..`.....HC...4..B..*........8q..0yU .zE.@..0<-|.U.....|..................................................................................................................................ZF..>Q.'...8@.G.+st.:4c.J<...>m).e..X... .........a.Me.J,...................................................................................................................................ZF..>Q.'...8@.G.+st.:4c.J<...>m).e..X... .........a.Me.J,..........................................................................................................................................Z..HC...4..B......:.....8q..0{U .{E.@..0<-|.U.....|.........................................................................................................................................Z..HC...4..B......:.....8q..0{U .{E.@..0<-|.U.....|.........................................................................................................................................Z..HC...4..B......:.....8q..0

                            C:\MSOCache\All Users\{90160000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2384186
                            Entropy (8bit):7.107434701094617
                            Encrypted:false
                            SSDEEP:
                            MD5:374FD4630788C034DAD3010C111BC324
                            SHA1:A49D41FA65ACD16D8707A193C40499BB9076E628
                            SHA-256:310F8C7C806E26254F0CE6D06E1AFF6FE78EBEDF300DF4BB4606E83097D5454A
                            SHA-512:558CAEE1C3FA5A9313B9270B341C611661B805A12E8FB5694042F53508FA0205B2102D232D458873F5FF7D82CC814B6FEE27674BF62908F4E7571726FC58D1BA
                            Malicious:false
                            Preview:uv..`.....HC...4..B..*........8q..0yU .zE.@..0<-|.U.....|..................................................................................................................................ZF..>Q.'...8@.G.+st.:4c.J<...>m).e..X... .........a.Me.J,...................................................................................................................................ZF..>Q.'...8@.G.+st.:4c.J<...>m).e..X... .........a.Me.J,..........................................................................................................................................Z..HC...4..B......:.....8q..0{U .{E.@..0<-|.U.....|.........................................................................................................................................Z..HC...4..B......:.....8q..0{U .{E.@..0<-|.U.....|.........................................................................................................................................Z..HC...4..B......:.....8q..0

                            C:\MSOCache\All Users\{90160000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1544
                            Entropy (8bit):7.668723320369599
                            Encrypted:false
                            SSDEEP:
                            MD5:9DF962CDFED624563B86C5CD9CD62BAF
                            SHA1:41894921C4F363006C91AFAD0C9DEC063381EFC9
                            SHA-256:976DED3528CC01C156336B8A51B09C3C4EBB156A71148B32A542EB7184A02AE7
                            SHA-512:12D047AE8520FD3944F2DD25234D782C7D554DA3F528D9C87505BE7E1735817D249E0641440C62EE448AB2A1D52F02FB6A622243872F61B433DB2F0C9D36487E
                            Malicious:false
                            Preview:@.....[Y.HVY.k..F.C.m$%.J.c'.-.k:.a89I.*7........:.5.....,.|^$......p..y..1..=./.y..+h._4.^.~}^vJE1>&E....=...w.K...b..[&H.....Fs..v}.$...J.|>4.O.a..m.bsz07r.lLF....*....}.{....8.D......Z.vRP.......g.t.V.`..?..0:.}..x4;;....f.....@.F..30.h#......Uu.~\Y.?.2.6.g-m.x.u/.i.5Uf"vBvBwt..l...E.M....<8._^.....[..Px`.g..C.%.J...t.[..~.>M..q~4,$N....4...u.X...j.i:-....Eq.y{o....C.2.M.$#w.0m.1..1GJ lf#p6_....5.....o.T....{4.<K(..`o...f."..J...g.'.F.X..B../7}&ut-zx+....y....r.u...kc.'[M............b..E.Q.8gvQ..=p.I..NRVa'J.\@s....5.....7.5...gq./I\....NH.ZQQ.7..U.P.;ydA~.l4.`.05S{1%z...../....c.#...3..p/....LH...u.%..J.C..@Oh..}4.`..hq..c:fR.{....5.....c.`...hL..WS...._Y.65?........(."\..I..\.agm*kb7\xb....h....t.<...gu.-IB.....bL.RPX.3..!.\.P.."}.h,.I.hd.l9.N.*9............G..$$.W.A.....]d.Wy_.3..H...|wdU../~....1X[7nh*Gsp....y.....t.o..:$.<DB....kY.OJD.h..a.'.i>3.K.D$.-..BTx.nk!f_x....k.....h.u...fx.<Uq.....]H.TQd.0....C.L..2h.a%.-....".(A!t

                            C:\MSOCache\All Users\{90160000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1544
                            Entropy (8bit):7.668723320369599
                            Encrypted:false
                            SSDEEP:
                            MD5:9DF962CDFED624563B86C5CD9CD62BAF
                            SHA1:41894921C4F363006C91AFAD0C9DEC063381EFC9
                            SHA-256:976DED3528CC01C156336B8A51B09C3C4EBB156A71148B32A542EB7184A02AE7
                            SHA-512:12D047AE8520FD3944F2DD25234D782C7D554DA3F528D9C87505BE7E1735817D249E0641440C62EE448AB2A1D52F02FB6A622243872F61B433DB2F0C9D36487E
                            Malicious:false
                            Preview:@.....[Y.HVY.k..F.C.m$%.J.c'.-.k:.a89I.*7........:.5.....,.|^$......p..y..1..=./.y..+h._4.^.~}^vJE1>&E....=...w.K...b..[&H.....Fs..v}.$...J.|>4.O.a..m.bsz07r.lLF....*....}.{....8.D......Z.vRP.......g.t.V.`..?..0:.}..x4;;....f.....@.F..30.h#......Uu.~\Y.?.2.6.g-m.x.u/.i.5Uf"vBvBwt..l...E.M....<8._^.....[..Px`.g..C.%.J...t.[..~.>M..q~4,$N....4...u.X...j.i:-....Eq.y{o....C.2.M.$#w.0m.1..1GJ lf#p6_....5.....o.T....{4.<K(..`o...f."..J...g.'.F.X..B../7}&ut-zx+....y....r.u...kc.'[M............b..E.Q.8gvQ..=p.I..NRVa'J.\@s....5.....7.5...gq./I\....NH.ZQQ.7..U.P.;ydA~.l4.`.05S{1%z...../....c.#...3..p/....LH...u.%..J.C..@Oh..}4.`..hq..c:fR.{....5.....c.`...hL..WS...._Y.65?........(."\..I..\.agm*kb7\xb....h....t.<...gu.-IB.....bL.RPX.3..!.\.P.."}.h,.I.hd.l9.N.*9............G..$$.W.A.....]d.Wy_.3..H...|wdU../~....1X[7nh*Gsp....y.....t.o..:$.<DB....kY.OJD.h..a.'.i>3.K.D$.-..BTx.nk!f_x....k.....h.u...fx.<Uq.....]H.TQd.0....C.L..2h.a%.-....".(A!t

                            C:\MSOCache\All Users\{90160000-0044-0409-0000-0000000FF1CE}-C\Setup.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2109
                            Entropy (8bit):7.780332001676361
                            Encrypted:false
                            SSDEEP:
                            MD5:3330F10430686D507C6FD96D7CCC166D
                            SHA1:D1CD17C84CFDBBF43EBE3F5D289ADB6E73C7DD93
                            SHA-256:C94EC903524FDBFDD76A42497055ACA5A9BE658C383D9F65690533A556C5AC80
                            SHA-512:E0F744228E94AB1A15C5A32EE204938A3A758502F2BB7D2DC824BBC1E7BB321B19062EA5F8982387D39BFEA9EFD74591B9E383A7E9B23FB541E6716F9F30F248
                            Malicious:false
                            Preview:.c......{O9.g..1Y.u5^$.u=..sQ.H..Clhx.47.....E.!......V...e@......F..CE...|.J,.e#d{.~?.........%.1;..-c....%.$...d<...fw........Bt...v.2T.x.h .]6M.;i.6....Q@.q#B....|.......#Y.5.k_..i...9..ke#..7.u..B..`.N"M..T..H..qXYS.8Et....q.......\.[.._..2...2..?V5..'..S".c:v..**;.;U....83...q~~....[......8`.D.vH..i.... ..Geo.....6M.@.tx.x.J.aF.1..0;.].S.d....X.,...../<...LK..&......Np.....KB.`5|..knS.o)..6..."E;.(8n....q......&,.;.^@......T.m_!..!..H....\?.Q.7.qg.....oG..8oT.....;...uG.R.oI..%.......dC2....`..d.I*.yn\.>G.G...!...zmf....d.V....g...BJ..8......5./..g..h..u5.i.y \.o)..Y...;...\~...}.+...4`.+.ZD.........|G".g.b..2{y".}?..&e....Ap...7:c....|.....!g....\..~.......5./..g...q.,.M?.s=^.5.......1.4.y.T...v.....!k.M.AF..~......gQ... .<Y.u(.k.u ..=K.....&...(8I.....}....:`.&............*....$.u(.q/Xv.]1..?P..!...>...TxT....2......4b...oA......K.g.v..!.oF.i>Ni..Yw.X......r,..7Bc....u.....w....OP......K.gJ:....d..2{y".}?..&e....Ap..

                            C:\MSOCache\All Users\{90160000-0044-0409-0000-0000000FF1CE}-C\Setup.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2109
                            Entropy (8bit):7.780332001676361
                            Encrypted:false
                            SSDEEP:
                            MD5:3330F10430686D507C6FD96D7CCC166D
                            SHA1:D1CD17C84CFDBBF43EBE3F5D289ADB6E73C7DD93
                            SHA-256:C94EC903524FDBFDD76A42497055ACA5A9BE658C383D9F65690533A556C5AC80
                            SHA-512:E0F744228E94AB1A15C5A32EE204938A3A758502F2BB7D2DC824BBC1E7BB321B19062EA5F8982387D39BFEA9EFD74591B9E383A7E9B23FB541E6716F9F30F248
                            Malicious:false
                            Preview:.c......{O9.g..1Y.u5^$.u=..sQ.H..Clhx.47.....E.!......V...e@......F..CE...|.J,.e#d{.~?.........%.1;..-c....%.$...d<...fw........Bt...v.2T.x.h .]6M.;i.6....Q@.q#B....|.......#Y.5.k_..i...9..ke#..7.u..B..`.N"M..T..H..qXYS.8Et....q.......\.[.._..2...2..?V5..'..S".c:v..**;.;U....83...q~~....[......8`.D.vH..i.... ..Geo.....6M.@.tx.x.J.aF.1..0;.].S.d....X.,...../<...LK..&......Np.....KB.`5|..knS.o)..6..."E;.(8n....q......&,.;.^@......T.m_!..!..H....\?.Q.7.qg.....oG..8oT.....;...uG.R.oI..%.......dC2....`..d.I*.yn\.>G.G...!...zmf....d.V....g...BJ..8......5./..g..h..u5.i.y \.o)..Y...;...\~...}.+...4`.+.ZD.........|G".g.b..2{y".}?..&e....Ap...7:c....|.....!g....\..~.......5./..g...q.,.M?.s=^.5.......1.4.y.T...v.....!k.M.AF..~......gQ... .<Y.u(.k.u ..=K.....&...(8I.....}....:`.&............*....$.u(.q/Xv.]1..?P..!...>...TxT....2......4b...oA......K.g.v..!.oF.i>Ni..Yw.X......r,..7Bc....u.....w....OP......K.gJ:....d..2{y".}?..&e....Ap..

                            C:\MSOCache\All Users\{90160000-0044-0409-0000-0000000FF1CE}-C\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\MSOCache\All Users\{90160000-0090-0409-0000-0000000FF1CE}-C\DCFMUI.cab

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):641904
                            Entropy (8bit):7.99920950933189
                            Encrypted:true
                            SSDEEP:
                            MD5:E0CDB3C2223FEC0C1640E72098F4FDF0
                            SHA1:37D363A08CF1B6E6641289236FED0D9C65434C08
                            SHA-256:BA71870E7F8AAF89C016306D0B272AF3B1DC6DD2DEAADB9C7C2EBACE2B94E23B
                            SHA-512:873F0035F772EFAD5428AE0DB1E421DEC2ED417E78971EFF272C318EDBAC7253878903DB2270EC1024CF9B3B0215C599F21A6142A8D1784B77233A96D3C479CD
                            Malicious:true
                            Preview:n.t...2...?.e6..`J..U..5..9.h....n.xOh%.8Hq"...XiE...y...*.+...............................2.........F.O .COMMON.AUDITITEMS.RESOURCES.DLL.x86.1033..Z...2.....F.O .COMMON.CLIENTCONFIGURATION.q.d...qS.qr.)....N{(.f..t.../h....(.#ohf.u.>z...;..N../.....j..URCES.DLL.x86.1033.....P......F.O .COMMON.FILEUTILS.RESOURCES.DLL.x86.1033...........F.O .COMMON.PASSWORDMANAGER.RESOURCES.DLL.[..}...%.'.e..`J..U.(6].m.*....!.<.:`.p."k...KT....1....*di.. .DATABASECOMPARE_COL.HXC_1033......O.....F.. .DATABASECOMPARE_COL.HXT_1033.r..........F.. .DATABASECOMPARE_F_COL.HXK_1033.q....#.7Q.wt...6.$b..3.[..GId\.r.+....6.3~X..8.34..xTG...j....k.f..SHIM.RESOURCES.DLL.1033..n...C.....F.. .SPREADSHEETCOMPARE.HXS_1033...........F.. .SPREADSHEETCOMPARE_COL.HXC_1033.....y......F#..S..`S..e. s..-.Y..HKyU.q.<....]..Oh%.8Xq5.Y.xOe...+...b.j..OMPARE_F_COL.HXK_1033.q..........F.. .SPREADSHEETCOMPARE_K_COL.HXK_1033..R.........F.O .SPREADSHEETIQ.DIAGRAM.RESOURCES.DLL.x86....`.Ad...d.e5.z.s.8..GZsX.j.-....@.4.-i

                            C:\MSOCache\All Users\{90160000-0090-0409-0000-0000000FF1CE}-C\DCFMUI.cab.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):641904
                            Entropy (8bit):7.99920950933189
                            Encrypted:true
                            SSDEEP:
                            MD5:E0CDB3C2223FEC0C1640E72098F4FDF0
                            SHA1:37D363A08CF1B6E6641289236FED0D9C65434C08
                            SHA-256:BA71870E7F8AAF89C016306D0B272AF3B1DC6DD2DEAADB9C7C2EBACE2B94E23B
                            SHA-512:873F0035F772EFAD5428AE0DB1E421DEC2ED417E78971EFF272C318EDBAC7253878903DB2270EC1024CF9B3B0215C599F21A6142A8D1784B77233A96D3C479CD
                            Malicious:true
                            Preview:n.t...2...?.e6..`J..U..5..9.h....n.xOh%.8Hq"...XiE...y...*.+...............................2.........F.O .COMMON.AUDITITEMS.RESOURCES.DLL.x86.1033..Z...2.....F.O .COMMON.CLIENTCONFIGURATION.q.d...qS.qr.)....N{(.f..t.../h....(.#ohf.u.>z...;..N../.....j..URCES.DLL.x86.1033.....P......F.O .COMMON.FILEUTILS.RESOURCES.DLL.x86.1033...........F.O .COMMON.PASSWORDMANAGER.RESOURCES.DLL.[..}...%.'.e..`J..U.(6].m.*....!.<.:`.p."k...KT....1....*di.. .DATABASECOMPARE_COL.HXC_1033......O.....F.. .DATABASECOMPARE_COL.HXT_1033.r..........F.. .DATABASECOMPARE_F_COL.HXK_1033.q....#.7Q.wt...6.$b..3.[..GId\.r.+....6.3~X..8.34..xTG...j....k.f..SHIM.RESOURCES.DLL.1033..n...C.....F.. .SPREADSHEETCOMPARE.HXS_1033...........F.. .SPREADSHEETCOMPARE_COL.HXC_1033.....y......F#..S..`S..e. s..-.Y..HKyU.q.<....]..Oh%.8Xq5.Y.xOe...+...b.j..OMPARE_F_COL.HXK_1033.q..........F.. .SPREADSHEETCOMPARE_K_COL.HXK_1033..R.........F.O .SPREADSHEETIQ.DIAGRAM.RESOURCES.DLL.x86....`.Ad...d.e5.z.s.8..GZsX.j.-....@.4.-i

                            C:\MSOCache\All Users\{90160000-0090-0409-0000-0000000FF1CE}-C\DCFMUI.msi

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2384186
                            Entropy (8bit):7.114699347653902
                            Encrypted:false
                            SSDEEP:
                            MD5:2AAE645411ABEFC6FB0978CD1010C05C
                            SHA1:D932253A067156E89F24717B835CDB80A97668FD
                            SHA-256:52267B4D2620756289245136EDEF6B0D90DBD11E09CECC1808104A67783C9FBF
                            SHA-512:E12DFE783B65FEAB3696A8DDBAA9E2EF43E7ADA8863B1B98BF976AD38B5DE1B01D6F4218CCFF3430456C09C9D358BAF8C5E6EB24D00433EE2C71EDBBD0964C6D
                            Malicious:false
                            Preview:..cV...!.^.L3.y]...gv.x....kD..Yr..`c.R*...p.O.Y.K...z....-x.O.................................................................................................................................!.I...?......L.._.....SQO.k.=....\..l..3.U....`.../.lCJ..V..................................................................................................................................!.I...?......L.._.....SQO.k.=....\..l..3.U....`.../.lCJ..V.................................................................................................................................Y.r.<....^.L3.y]...gv.x..6.H..Yr..`c.P*...p.O.Y.K...z..../x.O................................................................................................................................Y.r.<....^.L3.y]...gv.x..6.H..Yr..`c.P*...p.O.Y.K...z..../x.O................................................................................................................................Y.r.<....^.L3.y]...gv.x..6.H..Yr..`c.

                            C:\MSOCache\All Users\{90160000-0090-0409-0000-0000000FF1CE}-C\DCFMUI.msi.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2384186
                            Entropy (8bit):7.114699347653902
                            Encrypted:false
                            SSDEEP:
                            MD5:2AAE645411ABEFC6FB0978CD1010C05C
                            SHA1:D932253A067156E89F24717B835CDB80A97668FD
                            SHA-256:52267B4D2620756289245136EDEF6B0D90DBD11E09CECC1808104A67783C9FBF
                            SHA-512:E12DFE783B65FEAB3696A8DDBAA9E2EF43E7ADA8863B1B98BF976AD38B5DE1B01D6F4218CCFF3430456C09C9D358BAF8C5E6EB24D00433EE2C71EDBBD0964C6D
                            Malicious:false
                            Preview:..cV...!.^.L3.y]...gv.x....kD..Yr..`c.R*...p.O.Y.K...z....-x.O.................................................................................................................................!.I...?......L.._.....SQO.k.=....\..l..3.U....`.../.lCJ..V..................................................................................................................................!.I...?......L.._.....SQO.k.=....\..l..3.U....`.../.lCJ..V.................................................................................................................................Y.r.<....^.L3.y]...gv.x..6.H..Yr..`c.P*...p.O.Y.K...z..../x.O................................................................................................................................Y.r.<....^.L3.y]...gv.x..6.H..Yr..`c.P*...p.O.Y.K...z..../x.O................................................................................................................................Y.r.<....^.L3.y]...gv.x..6.H..Yr..`c.

                            C:\MSOCache\All Users\{90160000-0090-0409-0000-0000000FF1CE}-C\DCFMUI.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:OpenPGP Public Key
                            Category:dropped
                            Size (bytes):1529
                            Entropy (8bit):7.680670765970888
                            Encrypted:false
                            SSDEEP:
                            MD5:4950C77D2A91C4C55A4E34CA815A97E6
                            SHA1:E2334485AF31DC6B000E5EDDA0E98008C1D3C55C
                            SHA-256:D1209F26FC5302B8C19B667F991E650D0E289E2098DCC7866718A299176529CF
                            SHA-512:115E92A1D925941C9F6AA6837430498E9025C1D4D7FBD4B4AE517773A7C5F1F9A2DDD2C8826A47C87118F78C634F0C53FCACF79955550689BE681920E37DA56A
                            Malicious:false
                            Preview:.9.....0. W...,..<}.... ..J&..DT....4.. $.............Z.!.k....H..k....(Z...J..F...-....ey..~fi.c._..iG..u....s.....]...X...B..S. ...@...T..zm.......FT..suT.y.a.k-n..8../.1....b.Z,d..e...@.... L...^..K..Z1.v...m..G.......<1(......5.n.....!.."x...)..m.#!.+i..G..k6.\...Q..L..UVM...l..eQ..'.......:.Rf.~p....6..I.-...{...S..X).>7.+..JI..H^U.O.@..j2..9..j.......V7.+t...A...O.C...m..T.X...+.....6.:.S.O.k.x<L...........t.crQ.j....K......6.t....P..0..!D....^r....2...*.osa.....>.c...h. `Ax>..+.....Er.y...-.....Y%.9X.`H..U@p.C.7.,*+...~..u.q...y.b?.=p....a..D.Ws.z...q..x2..[.<B..%..9.E.M...x<L......6.....<.q>..r....E....E`.D2...R..w2.:..d3..9..]_f.c.N.p}k..8..t.L...v.u1.=a.....@..0.iq...Y..V8.. .(..du..o.3...*.roq...}..o.c...P.,..<z....`....%0.-Q...x.. P.aZ....Yn...?....o.iiw...(....5...4.V9.-`....u....M`.D2...R..w2.:..d3..9..GSz.e.y.|pi..c..Q.}..8.e".v....c..S.U..t....N..{<....!..|D...!.o.y. >4...t..y.L...e.`$.'}....O..q..&.(V..2...T.G .%.._~.:;?.I.~.o

                            C:\MSOCache\All Users\{90160000-0090-0409-0000-0000000FF1CE}-C\DCFMUI.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:OpenPGP Public Key
                            Category:dropped
                            Size (bytes):1529
                            Entropy (8bit):7.680670765970888
                            Encrypted:false
                            SSDEEP:
                            MD5:4950C77D2A91C4C55A4E34CA815A97E6
                            SHA1:E2334485AF31DC6B000E5EDDA0E98008C1D3C55C
                            SHA-256:D1209F26FC5302B8C19B667F991E650D0E289E2098DCC7866718A299176529CF
                            SHA-512:115E92A1D925941C9F6AA6837430498E9025C1D4D7FBD4B4AE517773A7C5F1F9A2DDD2C8826A47C87118F78C634F0C53FCACF79955550689BE681920E37DA56A
                            Malicious:false
                            Preview:.9.....0. W...,..<}.... ..J&..DT....4.. $.............Z.!.k....H..k....(Z...J..F...-....ey..~fi.c._..iG..u....s.....]...X...B..S. ...@...T..zm.......FT..suT.y.a.k-n..8../.1....b.Z,d..e...@.... L...^..K..Z1.v...m..G.......<1(......5.n.....!.."x...)..m.#!.+i..G..k6.\...Q..L..UVM...l..eQ..'.......:.Rf.~p....6..I.-...{...S..X).>7.+..JI..H^U.O.@..j2..9..j.......V7.+t...A...O.C...m..T.X...+.....6.:.S.O.k.x<L...........t.crQ.j....K......6.t....P..0..!D....^r....2...*.osa.....>.c...h. `Ax>..+.....Er.y...-.....Y%.9X.`H..U@p.C.7.,*+...~..u.q...y.b?.=p....a..D.Ws.z...q..x2..[.<B..%..9.E.M...x<L......6.....<.q>..r....E....E`.D2...R..w2.:..d3..9..]_f.c.N.p}k..8..t.L...v.u1.=a.....@..0.iq...Y..V8.. .(..du..o.3...*.roq...}..o.c...P.,..<z....`....%0.-Q...x.. P.aZ....Yn...?....o.iiw...(....5...4.V9.-`....u....M`.D2...R..w2.:..d3..9..GSz.e.y.|pi..c..Q.}..8.e".v....c..S.U..t....N..{<....!..|D...!.o.y. >4...t..y.L...e.`$.'}....O..q..&.(V..2...T.G .%.._~.:;?.I.~.o

                            C:\MSOCache\All Users\{90160000-0090-0409-0000-0000000FF1CE}-C\Setup.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2122
                            Entropy (8bit):7.782653398168922
                            Encrypted:false
                            SSDEEP:
                            MD5:8DD8BAECD1C67272D8DC67681B025808
                            SHA1:47C109713CE18DE030F816BF8FF28AA01AAC967A
                            SHA-256:85CD9BCB81156551EC7882B406B8BD43A3265E6AA329E3D52103F28251AAA37B
                            SHA-512:98E7C9CDA7AF248F0548CFC7E0B2F34D3A88786315BF3AE33F54D3FD2D629085BED6A817B74AA196D4F4EEF96D36115115D80829E1D463EF6D1D5225D36DDAA7
                            Malicious:false
                            Preview:.9..m'b.9.%X.L.O2..v*.B.|...jYB.I...$.E.].0M.;.^..].}.'.l.%..X..~..Jt_..16\.@PKr..3~.o.f....|Y.....[...=.(D...`..Z.W_..o.'.U..|..i,n.*>6D..h<V.o...E.s...@{..u..k..XK.q=...a..z.j.4...%.....s..KMd.r$.v..f.P..8...W.. ...I.....n.Q.N[.I.?..L.-.R.+.y.._..`..6~U.".>..0E;r.$...c.v...2Gy.1L..~..mH.Ze...|..].\.V...c.....@..5Em.#..Y..k&N..`v.{.]....}_.WA.5."JO.K}...g..m.s./.i.&..N..A...DP.:U'~..TI_.1;.g.b...v!<.7J.j..EA.YQ.Z.e..}.> ..?.3..^..$..d~c.9.q..2f3I..v..Y.g...-B........sn..t}.T.o..O.i.....b..V..b..Ebr.>.8d..T.!..9,...Q..$@Y.%M.t.r...n0.0.x..b.i5..?.e.._.....#'\./.)Y.SY.o..hB....e..&...Y..w.*~3.Yw...o..z.<T$.<.d..i..r..#K{.*.n...S.p.!..H.a...-_.. F.v. V=.kw...x.,.{.B...u..T.....#(*.Anpx..I.r..2r.._.q...EZ........T..Nf...6..a...B...b..V..G..di`.i.)D.Qd.o.: .I.p...;I...@....F(@.mf...+..3.J;/...x..I..B..`rx...-C.L.2s.:m..D.t..?mT..A..8. .\.ta...d..j.{...).,.U......(.;.%X.Qi.!..$ .L.v....IP..C.n.;DA.Q}...)..g.....-.s..T.$..#'P.8. [..a.j."&....l...v!<.m&..U.;

                            C:\MSOCache\All Users\{90160000-0090-0409-0000-0000000FF1CE}-C\Setup.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2122
                            Entropy (8bit):7.782653398168922
                            Encrypted:false
                            SSDEEP:
                            MD5:8DD8BAECD1C67272D8DC67681B025808
                            SHA1:47C109713CE18DE030F816BF8FF28AA01AAC967A
                            SHA-256:85CD9BCB81156551EC7882B406B8BD43A3265E6AA329E3D52103F28251AAA37B
                            SHA-512:98E7C9CDA7AF248F0548CFC7E0B2F34D3A88786315BF3AE33F54D3FD2D629085BED6A817B74AA196D4F4EEF96D36115115D80829E1D463EF6D1D5225D36DDAA7
                            Malicious:false
                            Preview:.9..m'b.9.%X.L.O2..v*.B.|...jYB.I...$.E.].0M.;.^..].}.'.l.%..X..~..Jt_..16\.@PKr..3~.o.f....|Y.....[...=.(D...`..Z.W_..o.'.U..|..i,n.*>6D..h<V.o...E.s...@{..u..k..XK.q=...a..z.j.4...%.....s..KMd.r$.v..f.P..8...W.. ...I.....n.Q.N[.I.?..L.-.R.+.y.._..`..6~U.".>..0E;r.$...c.v...2Gy.1L..~..mH.Ze...|..].\.V...c.....@..5Em.#..Y..k&N..`v.{.]....}_.WA.5."JO.K}...g..m.s./.i.&..N..A...DP.:U'~..TI_.1;.g.b...v!<.7J.j..EA.YQ.Z.e..}.> ..?.3..^..$..d~c.9.q..2f3I..v..Y.g...-B........sn..t}.T.o..O.i.....b..V..b..Ebr.>.8d..T.!..9,...Q..$@Y.%M.t.r...n0.0.x..b.i5..?.e.._.....#'\./.)Y.SY.o..hB....e..&...Y..w.*~3.Yw...o..z.<T$.<.d..i..r..#K{.*.n...S.p.!..H.a...-_.. F.v. V=.kw...x.,.{.B...u..T.....#(*.Anpx..I.r..2r.._.q...EZ........T..Nf...6..a...B...b..V..G..di`.i.)D.Qd.o.: .I.p...;I...@....F(@.mf...+..3.J;/...x..I..B..`rx...-C.L.2s.:m..D.t..?mT..A..8. .\.ta...d..j.{...).,.U......(.;.%X.Qi.!..$ .L.v....IP..C.n.;DA.Q}...)..g.....-.s..T.$..#'P.8. [..a.j."&....l...v!<.m&..U.;

                            C:\MSOCache\All Users\{90160000-0090-0409-0000-0000000FF1CE}-C\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\MSOCache\All Users\{90160000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2388282
                            Entropy (8bit):7.116311339314571
                            Encrypted:false
                            SSDEEP:
                            MD5:4DA2D668E0DEF3200BE718EF42DC117D
                            SHA1:2C6DB979301578AEEE9E1782F025F3C0D8C3B32A
                            SHA-256:7AEA7422B11D3AC2F195CFF0FAF9DDC716BBB07E4A61E78CF6715AF44BE7E07B
                            SHA-512:F631A34B94A3253FFBD459A71E754E65175C6232A682202CE3CE7BD462300BA3DEF9704E6F726014F7ED7B53D715BB49FDCDCC5DF6816B699421C20C3B26AA2D
                            Malicious:false
                            Preview:..........$'m......M.RK......0..p....I....dt.6C...R.q..................................................................................................................................:..>..M$H..8T)Eb&eG..W........v.s&}.sZ<x.U.b.PL....6....B.<.................................................................................................................................:..>..M$H..8T)Eb&eG..W........v.s&}.sZ<x.U.b.PL....6....B.<................................................................................................................................]...pe.M...$'m......s.VK......0..p....I....dt.6C.o.R.q.................................................................................................................................]...pe.M...$'m......s.VK......0..p....I....dt.6C.o.R.q.................................................................................................................................]...pe.M...$'m......s.VK......0..p

                            C:\MSOCache\All Users\{90160000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2388282
                            Entropy (8bit):7.116311339314571
                            Encrypted:false
                            SSDEEP:
                            MD5:4DA2D668E0DEF3200BE718EF42DC117D
                            SHA1:2C6DB979301578AEEE9E1782F025F3C0D8C3B32A
                            SHA-256:7AEA7422B11D3AC2F195CFF0FAF9DDC716BBB07E4A61E78CF6715AF44BE7E07B
                            SHA-512:F631A34B94A3253FFBD459A71E754E65175C6232A682202CE3CE7BD462300BA3DEF9704E6F726014F7ED7B53D715BB49FDCDCC5DF6816B699421C20C3B26AA2D
                            Malicious:false
                            Preview:..........$'m......M.RK......0..p....I....dt.6C...R.q..................................................................................................................................:..>..M$H..8T)Eb&eG..W........v.s&}.sZ<x.U.b.PL....6....B.<.................................................................................................................................:..>..M$H..8T)Eb&eG..W........v.s&}.sZ<x.U.b.PL....6....B.<................................................................................................................................]...pe.M...$'m......s.VK......0..p....I....dt.6C.o.R.q.................................................................................................................................]...pe.M...$'m......s.VK......0..p....I....dt.6C.o.R.q.................................................................................................................................]...pe.M...$'m......s.VK......0..p

                            C:\MSOCache\All Users\{90160000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2131
                            Entropy (8bit):7.751988687075645
                            Encrypted:false
                            SSDEEP:
                            MD5:204CD9B329392391D6207A112A642CB3
                            SHA1:C9D4672B268B71F459EF4A31FA1C877A3A0E7EEF
                            SHA-256:43B020662075C4522AB3F6865F807054FD91EAF62C25D2CC446F13F961F95B62
                            SHA-512:77FDB4021FEB03C63D269E7E537EF99DF25DCCD1487627E4924417E15D4EA4EF2960C4506C75C6814742184BD0967F77AFDC3CBEDE6DD4E8A9D7EB09703952CE
                            Malicious:false
                            Preview:.....o9~...|m...p...!.I.O.....t.'J,..G"R..F.X.W.)N..i. <_..g..G.. +V..]f...>.....g.R.....[.-.x...O\..{./.q.0M\.I..\I..Z...D...~_..<a....9.....\.J.....B.P.#..F)..}.q.;.6Q}...ZA..|........j...8s.................../.2V...l3^..P.*.K.;p|.W......E....;..6)l..Pu.........A.f.....E.X+G...D...*.'.r.=qT.C.4.y..P.......y*N..pm........0.t.R..... .~. ...F%..w.g.F.?Hu.o..EI..{..5..~.a...%u...."...w.B.......~.x..(>:..;.y.L..xz.l................R...rw....7..'.x......D.m.z..p<B.;.G.m..~C.J..J......B...Z...'3.....b..r.........o.?%@..(l...w.5.4.L3....@F...........;.z..rd...a....L.G...j.)J-..D"5..m.e.".. ..K. .D..X.......~+...3@...a...u...,.....b.v.}..+>:..;.y.L..xq.I..U...;.......:=~....?..... ...&...H.....|.z.r.......9.x.v.^-..(.g~...E.......+&..~n.....7...&.L.@.....0.v..8l....+.g..hE....J...T..&..&!p..|w.....6....Y.~.....2.p.g..}<M...+.r..rY.@.N>T..~...... .r..wM.....<...m. .(.....f.m.-..D"5..m.e.".. ..K. .D..^......!o...#0....!..r...+.....f.p.A..m

                            C:\MSOCache\All Users\{90160000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2131
                            Entropy (8bit):7.751988687075645
                            Encrypted:false
                            SSDEEP:
                            MD5:204CD9B329392391D6207A112A642CB3
                            SHA1:C9D4672B268B71F459EF4A31FA1C877A3A0E7EEF
                            SHA-256:43B020662075C4522AB3F6865F807054FD91EAF62C25D2CC446F13F961F95B62
                            SHA-512:77FDB4021FEB03C63D269E7E537EF99DF25DCCD1487627E4924417E15D4EA4EF2960C4506C75C6814742184BD0967F77AFDC3CBEDE6DD4E8A9D7EB09703952CE
                            Malicious:false
                            Preview:.....o9~...|m...p...!.I.O.....t.'J,..G"R..F.X.W.)N..i. <_..g..G.. +V..]f...>.....g.R.....[.-.x...O\..{./.q.0M\.I..\I..Z...D...~_..<a....9.....\.J.....B.P.#..F)..}.q.;.6Q}...ZA..|........j...8s.................../.2V...l3^..P.*.K.;p|.W......E....;..6)l..Pu.........A.f.....E.X+G...D...*.'.r.=qT.C.4.y..P.......y*N..pm........0.t.R..... .~. ...F%..w.g.F.?Hu.o..EI..{..5..~.a...%u...."...w.B.......~.x..(>:..;.y.L..xz.l................R...rw....7..'.x......D.m.z..p<B.;.G.m..~C.J..J......B...Z...'3.....b..r.........o.?%@..(l...w.5.4.L3....@F...........;.z..rd...a....L.G...j.)J-..D"5..m.e.".. ..K. .D..X.......~+...3@...a...u...,.....b.v.}..+>:..;.y.L..xq.I..U...;.......:=~....?..... ...&...H.....|.z.r.......9.x.v.^-..(.g~...E.......+&..~n.....7...&.L.@.....0.v..8l....+.g..hE....J...T..&..&!p..|w.....6....Y.~.....2.p.g..}<M...+.r..rY.@.N>T..~...... .r..wM.....<...m. .(.....f.m.-..D"5..m.e.".. ..K. .D..^......!o...#0....!..r...+.....f.p.A..m

                            C:\MSOCache\All Users\{90160000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):13355086
                            Entropy (8bit):7.999898633172596
                            Encrypted:true
                            SSDEEP:
                            MD5:D5E88AC1F785740F90B41A29A50165CB
                            SHA1:2EEE0FEC76F78483B81A9F63905681A0827540E8
                            SHA-256:A95FE062D3E11BA4DF39F1147883147A2E3842F139067ECA8D00217C1843B991
                            SHA-512:E17434203935BD961F8DB14FA3B1CBA9D201C18F960182BB5944E9AB4113F932E3E1973B0709CA422F357E16C30E104DA44899917D6968764373C77913305956
                            Malicious:true
                            Preview:.Q%......M......8}..u.....6F.m*r......pd..>$.n.!.%?c..q ..R../..............F.. .ACADEMIC.ONE_1033.(..........F.. .BLANK.ONE_1033.0...(......F.. .BUSINESS.ONE_1033..1.Xw.....F.. .DESIGNER..L#.09....C...v.|}.<.r.....`.Q,.=...,..<....G...N.!,c.3..?o....K03.ONEPKG_1033.......A....F.. .ONENOTE.HXS_1033.w.....E....F.. .ONENOTE_COL.HXC_1033.......E....F.. .ONENOTE_COL.HXT_1033.r.....Gf......h....(8...6S.!..}.4Y.A......pt.....n.n.`q,...k....HXK_1033.b.....E....F<P .ONGUIDE.ONEPKG_1033......J....F<P .ONINTL.DLL_1033.P{...L....F.. .PLANNERS.ONE_1033.w...?+P....F<. .P.P%.JL.A.<.....|....>......9..r...^..J.^0V....}.!..?c.. .... .PSRCHLTS.DAT_1033......)u....F<. .PSRCHPHN.DAT_1033.G:...6u....F<. .PSRCHSRN.DAT_1033......p.....F.. .TELLMEONENOTE.NRR_1033.5...W..^D.p........u.....6. $L.s..H.CLO.J..4E..,q.XU%...=...u.U..U3&53.V..`.{..<...wc..........j...V.....\...I..vy9....w..s./.$..K.!.5.*N.i.x.,..H4.1..2........+..........X6...mKl.{.dK.[..w.6].8.Fv....U.:.N.....Z.q..v .N.

                            C:\MSOCache\All Users\{90160000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):13355086
                            Entropy (8bit):7.999898633172596
                            Encrypted:true
                            SSDEEP:
                            MD5:D5E88AC1F785740F90B41A29A50165CB
                            SHA1:2EEE0FEC76F78483B81A9F63905681A0827540E8
                            SHA-256:A95FE062D3E11BA4DF39F1147883147A2E3842F139067ECA8D00217C1843B991
                            SHA-512:E17434203935BD961F8DB14FA3B1CBA9D201C18F960182BB5944E9AB4113F932E3E1973B0709CA422F357E16C30E104DA44899917D6968764373C77913305956
                            Malicious:true
                            Preview:.Q%......M......8}..u.....6F.m*r......pd..>$.n.!.%?c..q ..R../..............F.. .ACADEMIC.ONE_1033.(..........F.. .BLANK.ONE_1033.0...(......F.. .BUSINESS.ONE_1033..1.Xw.....F.. .DESIGNER..L#.09....C...v.|}.<.r.....`.Q,.=...,..<....G...N.!,c.3..?o....K03.ONEPKG_1033.......A....F.. .ONENOTE.HXS_1033.w.....E....F.. .ONENOTE_COL.HXC_1033.......E....F.. .ONENOTE_COL.HXT_1033.r.....Gf......h....(8...6S.!..}.4Y.A......pt.....n.n.`q,...k....HXK_1033.b.....E....F<P .ONGUIDE.ONEPKG_1033......J....F<P .ONINTL.DLL_1033.P{...L....F.. .PLANNERS.ONE_1033.w...?+P....F<. .P.P%.JL.A.<.....|....>......9..r...^..J.^0V....}.!..?c.. .... .PSRCHLTS.DAT_1033......)u....F<. .PSRCHPHN.DAT_1033.G:...6u....F<. .PSRCHSRN.DAT_1033......p.....F.. .TELLMEONENOTE.NRR_1033.5...W..^D.p........u.....6. $L.s..H.CLO.J..4E..,q.XU%...=...u.U..U3&53.V..`.{..<...wc..........j...V.....\...I..vy9....w..s./.$..K.!.5.*N.i.x.,..H4.1..2........+..........X6...mKl.{.dK.[..w.6].8.Fv....U.:.N.....Z.q..v .N.

                            C:\MSOCache\All Users\{90160000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2489
                            Entropy (8bit):7.779439802007142
                            Encrypted:false
                            SSDEEP:
                            MD5:A5BA8CDFC25E393067DB7DCE4A92816A
                            SHA1:F0B0C513CAEB29C8D3A37849085DCA2C6D449BCB
                            SHA-256:5E3CE5E20DADE2741B22ECEEAC7DFC33C93AA2FE8BA51B1FEFF99DB9C2F4AE21
                            SHA-512:1AEF6C4386AE48A54DBE2FC33616A6464FFC08AC61181D0F57D5130D41F4D2FAF68F7C8301FC79C0625E1CC6FC7F75C59252346CE0414A7928C7CC8099FF12CA
                            Malicious:false
                            Preview:.Ay...S_q......4D..]..........[ye.P.......-Vh..V..Rt.=.G.|...6U2Hd|`O....O.\>e..X./...!....<...E...[...Ontb.l.6YT.Q........7.*EvxS....X.IZD...Y.)...P.....x..9...Z..WvCe.`..'.k...|.`.r.:m.>..j0...{.33\.....$..6^.....[ly.d.......'$C%.6..;L`.,.}.L.o.6k,HTpiM....Q.C:~..@.5... .....D.1.*...o...Vt`..y.<zj.<.H...Z..h?$.|B4....d.UE......&...J.....:.".A...L....zF".o..5qO.P.f.G.j.<r."NT.q.....qZ{..J.&..O5.....%$3.........WC$.-..aKu.D.\.@....e1...qf....F.'%@..G.3..P8......$z.....[..j....w..".O.Y.d.R.R.7o..GIVf...G.d.B..R...>w....2(4.....i....m.r.f..lzo...I.R.O..s..U@.!......l.J........]&.....5..........tI..m..!_h. .Q...o..`..RvNb....n.f.B.Z.....o.....|e.....l....uC'.g..>Jo.....@...6h..CK.!.......`'..G....;|....4$.(...[.....M%.w..-Jc.F.J.D...:h..JIUt....L.8HW.........t.....33.....F..m.%Y.L..%Qh.-...j.N..u.!OI_p..D.p.Z..G.C...{....2&.....J....$.>.!..%Mg...R.A.N..h....Tl....+..Va..\.^..O:.....$......D...@]I6.v...Jg.....J.G..Q..CKN!...C.i.Y...V....}..... +....

                            C:\MSOCache\All Users\{90160000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2489
                            Entropy (8bit):7.779439802007142
                            Encrypted:false
                            SSDEEP:
                            MD5:A5BA8CDFC25E393067DB7DCE4A92816A
                            SHA1:F0B0C513CAEB29C8D3A37849085DCA2C6D449BCB
                            SHA-256:5E3CE5E20DADE2741B22ECEEAC7DFC33C93AA2FE8BA51B1FEFF99DB9C2F4AE21
                            SHA-512:1AEF6C4386AE48A54DBE2FC33616A6464FFC08AC61181D0F57D5130D41F4D2FAF68F7C8301FC79C0625E1CC6FC7F75C59252346CE0414A7928C7CC8099FF12CA
                            Malicious:false
                            Preview:.Ay...S_q......4D..]..........[ye.P.......-Vh..V..Rt.=.G.|...6U2Hd|`O....O.\>e..X./...!....<...E...[...Ontb.l.6YT.Q........7.*EvxS....X.IZD...Y.)...P.....x..9...Z..WvCe.`..'.k...|.`.r.:m.>..j0...{.33\.....$..6^.....[ly.d.......'$C%.6..;L`.,.}.L.o.6k,HTpiM....Q.C:~..@.5... .....D.1.*...o...Vt`..y.<zj.<.H...Z..h?$.|B4....d.UE......&...J.....:.".A...L....zF".o..5qO.P.f.G.j.<r."NT.q.....qZ{..J.&..O5.....%$3.........WC$.-..aKu.D.\.@....e1...qf....F.'%@..G.3..P8......$z.....[..j....w..".O.Y.d.R.R.7o..GIVf...G.d.B..R...>w....2(4.....i....m.r.f..lzo...I.R.O..s..U@.!......l.J........]&.....5..........tI..m..!_h. .Q...o..`..RvNb....n.f.B.Z.....o.....|e.....l....uC'.g..>Jo.....@...6h..CK.!.......`'..G....;|....4$.(...[.....M%.w..-Jc.F.J.D...:h..JIUt....L.8HW.........t.....33.....F..m.%Y.L..%Qh.-...j.N..u.!OI_p..D.p.Z..G.C...{....2&.....J....$.>.!..%Mg...R.A.N..h....Tl....+..Va..\.^..O:.....$......D...@]I6.v...Jg.....J.G..Q..CKN!...C.i.Y...V....}..... +....

                            C:\MSOCache\All Users\{90160000-00A1-0409-0000-0000000FF1CE}-C\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):873276
                            Entropy (8bit):7.993915292683214
                            Encrypted:true
                            SSDEEP:
                            MD5:842B32A3B6263CC78D07213C69F19FE0
                            SHA1:AF4B14FA3538D52587401245FCBE43A7E87F76B3
                            SHA-256:6B9E16A923B956D9429537F88D1810561A58567BE85452CC8CA38059ED0CCDD7
                            SHA-512:4A4B37A1C88DD94A69DEFEAB71037AC34B1BEF4136F55C7FA88DF386A13FC8C7511D900119998215FAF355B7BA2B286E2EF4D5A6BC822A7B918B2169DA9D4727
                            Malicious:true
                            Preview:.)..Y...$.u.Kwy.D..u..R.a..~._...).;.Rh.U....)?..3...R.k.[.-G................F.. .GROOVE.HXS_1033.r..........F.. .GROOVE_COL.HXC_1033.....>......F.. .GROOVE_COL.HXT_1033.o..........F.. .GROO.?...... ..FI.3..u...fc.~~'....)Ei..>.......w.l..R4..[Q.F....F9O .GROOVEINTLRESOURCE.DLL.x86.1033.3..o.a..[......G...............wwww]p..............".63`V.....PIG..[.-(..&..MH....a...&.+...E.....Pz8....ir*..J...@.....U.......3...p....7..O......"i@...FG.;X....?@.O.h.......l........{.... ...c....?.....6..6./... k.O..(..;.1.6.../....}....\...._.K....K........pe..,..T...q.@...-...w.F......}..0.......,,.2>.!.,.......G......!.y..s.......EM.....i8......p....k(......m4<.....@._>..>....>.....D..._..........E......q....F..i...$@f.G....za...~..Cf..2......5.s.......ug..r.S..%...q..^........:.HR....@.S..i....H..6g......../..... ...c<...i.oA.....w......+f.........O....?.....c]......{7r.......Do......z.......C...f...U.....,.....j....8.}..h..=....b.N.U...2.'.B..@

                            C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):873276
                            Entropy (8bit):7.993915292683214
                            Encrypted:true
                            SSDEEP:
                            MD5:842B32A3B6263CC78D07213C69F19FE0
                            SHA1:AF4B14FA3538D52587401245FCBE43A7E87F76B3
                            SHA-256:6B9E16A923B956D9429537F88D1810561A58567BE85452CC8CA38059ED0CCDD7
                            SHA-512:4A4B37A1C88DD94A69DEFEAB71037AC34B1BEF4136F55C7FA88DF386A13FC8C7511D900119998215FAF355B7BA2B286E2EF4D5A6BC822A7B918B2169DA9D4727
                            Malicious:true
                            Preview:.)..Y...$.u.Kwy.D..u..R.a..~._...).;.Rh.U....)?..3...R.k.[.-G................F.. .GROOVE.HXS_1033.r..........F.. .GROOVE_COL.HXC_1033.....>......F.. .GROOVE_COL.HXT_1033.o..........F.. .GROO.?...... ..FI.3..u...fc.~~'....)Ei..>.......w.l..R4..[Q.F....F9O .GROOVEINTLRESOURCE.DLL.x86.1033.3..o.a..[......G...............wwww]p..............".63`V.....PIG..[.-(..&..MH....a...&.+...E.....Pz8....ir*..J...@.....U.......3...p....7..O......"i@...FG.;X....?@.O.h.......l........{.... ...c....?.....6..6./... k.O..(..;.1.6.../....}....\...._.K....K........pe..,..T...q.@...-...w.F......}..0.......,,.2>.!.,.......G......!.y..s.......EM.....i8......p....k(......m4<.....@._>..>....>.....D..._..........E......q....F..i...$@f.G....za...~..Cf..2......5.s.......ug..r.S..%...q..^........:.HR....@.S..i....H..6g......../..... ...c<...i.oA.....w......+f.........O....?.....c]......{7r.......Do......z.......C...f...U.....,.....j....8.}..h..=....b.N.U...2.'.B..@

                            C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2380090
                            Entropy (8bit):7.127576988928786
                            Encrypted:false
                            SSDEEP:
                            MD5:C698E43442C73E143508E943274F1D2B
                            SHA1:21A5FE91CC7A54F72BC371FD9F5D3F6B50F25C42
                            SHA-256:F66F0C088908A9020C0A9EF9FA54E5BB190C5B0FFB6240640085B650E566DD4C
                            SHA-512:F90215083C61DBA5737FE99B1767104676F29BE1A647A3548565FE560986F5DE8F481616197AEC3D2CCC1CE2E951EEBA18FF2C9488359B9A88090222F95BB99F
                            Malicious:false
                            Preview:k.w_....{.6.......@SWu...F..!..&...K(#.....L...sj.k....q...................................................................................................................................D..@.L&.3......7]...Q....B[.G.D.w..........c].HY......BbA/...'................................................................................................................................D..@.L&.3......7]...Q....B[.G.D.w..........c].HY......BbA/...'.................................................................................................................................}f. ..n.{.6.......@SWK....}.!..&...K(!.....M...sj.k....s....................................................................................................................................}f. ..n.{.6.......@SWK....}.!..&...K(!.....M...sj.k....s....................................................................................................................................}f. ..n.{.6.......@SWK....}.!..&...K(

                            C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2380090
                            Entropy (8bit):7.127576988928786
                            Encrypted:false
                            SSDEEP:
                            MD5:C698E43442C73E143508E943274F1D2B
                            SHA1:21A5FE91CC7A54F72BC371FD9F5D3F6B50F25C42
                            SHA-256:F66F0C088908A9020C0A9EF9FA54E5BB190C5B0FFB6240640085B650E566DD4C
                            SHA-512:F90215083C61DBA5737FE99B1767104676F29BE1A647A3548565FE560986F5DE8F481616197AEC3D2CCC1CE2E951EEBA18FF2C9488359B9A88090222F95BB99F
                            Malicious:false
                            Preview:k.w_....{.6.......@SWu...F..!..&...K(#.....L...sj.k....q...................................................................................................................................D..@.L&.3......7]...Q....B[.G.D.w..........c].HY......BbA/...'................................................................................................................................D..@.L&.3......7]...Q....B[.G.D.w..........c].HY......BbA/...'.................................................................................................................................}f. ..n.{.6.......@SWK....}.!..&...K(!.....M...sj.k....s....................................................................................................................................}f. ..n.{.6.......@SWK....}.!..&...K(!.....M...sj.k....s....................................................................................................................................}f. ..n.{.6.......@SWK....}.!..&...K(

                            C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1440
                            Entropy (8bit):7.633707628940851
                            Encrypted:false
                            SSDEEP:
                            MD5:B16C74B265C2879C99AD6ED6EA101C2C
                            SHA1:B9DA663BE142FBC798F8A4EECB8EB01D80682C52
                            SHA-256:AAD087AA47C6E3FA2B2A66E9DDF6423F07527892B48CC8075DA07A1EEEC342D5
                            SHA-512:CEE6EFC353649F0E2FCB9208F1C866B85D72BDC4F988645F4B05D3DF087FE12747A40BF97FC07E3D620D20619B52DB02CD3FD974C22A865FA649A603CC85E4F8
                            Malicious:false
                            Preview:.6......A/nY..-.m..y.{.$ ..VZ?....(^.7..G......x2A:#^....&.......L.03...I.B...K.{./W[.hAd..w.fP.j....l...d.bNJ.9W.c...O......C;5....l.g.7e.P.n{...._..Z.`..P....Z...T.w<]$.c.C...x..........fN...6.Z..)l.[.Qt;..Z*..6..O.E....4....@E[aiz-A.^...1........4.....e.o..G.B.q2$.TOm..S.U).~...E...bD.t9ujX._...b.......C.>....g.B..4_.B.O--.c.h..Z.`..,..1....ZEJFJ..g.Z..H.........`skJ...e.<...Y.(.4<g..'f.].GB.~...l....x4.afa4@.....l.......Z)nY...`.m..03.F.;"<.B.n....L.8..g....B.V9*7x......9........lcK..?.8..I-.S.ZG...:T..Y.Q..t....-...K.58|p....|.....K|qJ..-.X..{.g.$ ...U9..5.d..n....J...._.\rm.(_.\..e.......]5nY..>.;..G....%M..Y.i.Z.k..8....u....H..&'rL9.....h........h$2..../.l..*x.`.Ao..Y.b....M..'....!..$A|t|%.].J..m.....@2'....k.'..s..:.|c..B.9..5.d..n....J....^.zj{8 _.J.j.......K%.....>.;..Y^.f.$ Z..z.....R..u....#..l.Deq?.].[...l.......h$2....1....?x.a.kgJ.TJ%.H.R!.t....o....A.@&(..@.....1......Z(<..../.l..8q.t.jK..D.k.X..

                            C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1440
                            Entropy (8bit):7.633707628940851
                            Encrypted:false
                            SSDEEP:
                            MD5:B16C74B265C2879C99AD6ED6EA101C2C
                            SHA1:B9DA663BE142FBC798F8A4EECB8EB01D80682C52
                            SHA-256:AAD087AA47C6E3FA2B2A66E9DDF6423F07527892B48CC8075DA07A1EEEC342D5
                            SHA-512:CEE6EFC353649F0E2FCB9208F1C866B85D72BDC4F988645F4B05D3DF087FE12747A40BF97FC07E3D620D20619B52DB02CD3FD974C22A865FA649A603CC85E4F8
                            Malicious:false
                            Preview:.6......A/nY..-.m..y.{.$ ..VZ?....(^.7..G......x2A:#^....&.......L.03...I.B...K.{./W[.hAd..w.fP.j....l...d.bNJ.9W.c...O......C;5....l.g.7e.P.n{...._..Z.`..P....Z...T.w<]$.c.C...x..........fN...6.Z..)l.[.Qt;..Z*..6..O.E....4....@E[aiz-A.^...1........4.....e.o..G.B.q2$.TOm..S.U).~...E...bD.t9ujX._...b.......C.>....g.B..4_.B.O--.c.h..Z.`..,..1....ZEJFJ..g.Z..H.........`skJ...e.<...Y.(.4<g..'f.].GB.~...l....x4.afa4@.....l.......Z)nY...`.m..03.F.;"<.B.n....L.8..g....B.V9*7x......9........lcK..?.8..I-.S.ZG...:T..Y.Q..t....-...K.58|p....|.....K|qJ..-.X..{.g.$ ...U9..5.d..n....J...._.\rm.(_.\..e.......]5nY..>.;..G....%M..Y.i.Z.k..8....u....H..&'rL9.....h........h$2..../.l..*x.`.Ao..Y.b....M..'....!..$A|t|%.].J..m.....@2'....k.'..s..:.|c..B.9..5.d..n....J....^.zj{8 _.J.j.......K%.....>.;..Y^.f.$ Z..z.....R..u....#..l.Deq?.].[...l.......h$2....1....?x.a.kgJ.TJ%.H.R!.t....o....A.@&(..@.....1......Z(<..../.l..8q.t.jK..D.k.X..

                            C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1954
                            Entropy (8bit):7.734046057348683
                            Encrypted:false
                            SSDEEP:
                            MD5:3695A1EF9CB6F241D6511748DD5964A2
                            SHA1:F24D7F3CBE921A307498D441DF1BC61AC422C7B4
                            SHA-256:5AA9CA1CF3672B503DE915BB011139098F728A2650D8B289894A790097854214
                            SHA-512:E28989F4AFED7634F32B78D06FCFA3C1C59C67982A26BEE7687D991DB6917D2A16162B32FB1F216C568F4CFB97CE91F5F530FE3966BE5BB836F274108437B11E
                            Malicious:false
                            Preview:;.......zu.k..0.e.v.!r.M5k.h.`.>...!.4._.?.p....|...;../.J+..Q,i.......'E B.}...9.v7...eD &.s.7..W.\... .n...E..h.9mf.6.2,s.!....>rI/.G.$.{..}.M)N8..t. ...-...6.a.w....c...l..s.Q....Fk.......=p1=.v.'....r..l.O.0.l.e......N.M.f........(..d.[....LR.......R6.v.C...`..h._%k=..D....D.z...%.....h..6..+6dO.../h......L4.l..y...9..t.p17@%.f....d...H.K.K....g..h...,n2V.KsE......EWR4..A.....tL.p.8Zx...d..k.....0.]........(..|.[...\^c......qq.v..0.9.;.!Q..|F.9.`.=.p.L.A...&....Y......~.N....Vi......*&=a.g.?. .0y..e3f.9.5.1..r.N...w.[....C...4..09M....zu......mu[$.v...i.=y...b.}\.Z.,..>.].A.{.B....t..3..=!CFO..yf......m;[H.s.i...7}.F+D.&.{.e..m.....s.C....F..4..aw[...^Wn......mu[+....w.$.-s..`88U..z.-..w.\.A.V.I....c..8...:A...^[n......ju.j..0...v..u.E0j...c.*..{.....,.%....@..3.8h.#...ib......(B.b.~...5.!!..F?d.w.Q.+...q.x...|........<..3"c....kn.M...'8t...=.;.=.*".. `U.6.t.=..>.X...0.]....}...%..~z.ie.BSh......m&=k.~.*... y..Re5Fc.%.h...\...

                            C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1954
                            Entropy (8bit):7.734046057348683
                            Encrypted:false
                            SSDEEP:
                            MD5:3695A1EF9CB6F241D6511748DD5964A2
                            SHA1:F24D7F3CBE921A307498D441DF1BC61AC422C7B4
                            SHA-256:5AA9CA1CF3672B503DE915BB011139098F728A2650D8B289894A790097854214
                            SHA-512:E28989F4AFED7634F32B78D06FCFA3C1C59C67982A26BEE7687D991DB6917D2A16162B32FB1F216C568F4CFB97CE91F5F530FE3966BE5BB836F274108437B11E
                            Malicious:false
                            Preview:;.......zu.k..0.e.v.!r.M5k.h.`.>...!.4._.?.p....|...;../.J+..Q,i.......'E B.}...9.v7...eD &.s.7..W.\... .n...E..h.9mf.6.2,s.!....>rI/.G.$.{..}.M)N8..t. ...-...6.a.w....c...l..s.Q....Fk.......=p1=.v.'....r..l.O.0.l.e......N.M.f........(..d.[....LR.......R6.v.C...`..h._%k=..D....D.z...%.....h..6..+6dO.../h......L4.l..y...9..t.p17@%.f....d...H.K.K....g..h...,n2V.KsE......EWR4..A.....tL.p.8Zx...d..k.....0.]........(..|.[...\^c......qq.v..0.9.;.!Q..|F.9.`.=.p.L.A...&....Y......~.N....Vi......*&=a.g.?. .0y..e3f.9.5.1..r.N...w.[....C...4..09M....zu......mu[$.v...i.=y...b.}\.Z.,..>.].A.{.B....t..3..=!CFO..yf......m;[H.s.i...7}.F+D.&.{.e..m.....s.C....F..4..aw[...^Wn......mu[+....w.$.-s..`88U..z.-..w.\.A.V.I....c..8...:A...^[n......ju.j..0...v..u.E0j...c.*..{.....,.%....@..3.8h.#...ib......(B.b.~...5.!!..F?d.w.Q.+...q.x...|........<..3"c....kn.M...'8t...=.;.=.*".. `U.6.t.=..>.X...0.]....}...%..~z.ie.BSh......m&=k.~.*... y..Re5Fc.%.h...\...

                            C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\MSOCache\All Users\{90160000-00E1-0409-0000-0000000FF1CE}-C\OSMMUI.cab

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):17127
                            Entropy (8bit):7.730472174092946
                            Encrypted:false
                            SSDEEP:
                            MD5:83831C7B23F7FF9E122B39EBF9A49EBB
                            SHA1:688869A8D7B1AEBA2C77BDD1DB8649948059C5F4
                            SHA-256:C3A7895322C93B60837057B1A0E7DFE03CF000C7C98778427C38BD5CF297677D
                            SHA-512:E01227F31652AA6614EE781441D939B6A97A3CD3D1B12D353629DF5BFFF4378EAE2F0FC47D83563CC6BDF97E7192DC12530157AABF8716979B857A92AA3EB339
                            Malicious:false
                            Preview:._..x.8..hP..L.c....C..o.U.E.d.I........J.".k._.:.d....3....>..........F`P .OFFICEINVENTORYAGENTFALLBACK.XML.x86.1033.....>......F`P .OFFICEINVENTORYAGENTLOGON.XML.x86.1033.L.g..4.[......19.8i.hr....Wt.R.<..+..s....u~.N..,J.M,.6I)['"...:O..1.;.....U.7.o....).....h....H...j3.8.....m...R....}...........!...3....I.HH......ld..C....>4......iv...g....$...._...._%.....l...M.(d.....0K.\..3w.+c.K...JBAk..>....I... .t3X.5)k.*..6(.5....W..R....%F.QE.e..b.I.@."../F...d.....B].w.*.X.j..O...c.....F.f...#*....y..@*....S.u...t..h...!..\`.:.:....0}....L.T.u.~..S...L*_.....6<..Z..6#tib........F..*....Ly...(:.f#.TB;.p.....z.<Z.=...1..B.x..9I..d&.#MRz=A{'..2.l.E.....I]|.J....?...i.v.....;.e.............k%....]=..'..3K.;...t:...0..k..-d.4S..l...:;.sG.}m.C.%..w....k..C"}Wl. 4....t...y..l...{.hD...m...q....g%....L..>_....e.].e.n.X....?(V.......k.<(....h.MR.C...WFl.....X.:.l.:........4.$]z.F-....S..2...A.....-?...G@..Jm...cW....&.o...$5..U8.(]r.Q.f@"...Ch...&.X

                            C:\MSOCache\All Users\{90160000-00E1-0409-0000-0000000FF1CE}-C\OSMMUI.cab.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):17127
                            Entropy (8bit):7.730472174092946
                            Encrypted:false
                            SSDEEP:
                            MD5:83831C7B23F7FF9E122B39EBF9A49EBB
                            SHA1:688869A8D7B1AEBA2C77BDD1DB8649948059C5F4
                            SHA-256:C3A7895322C93B60837057B1A0E7DFE03CF000C7C98778427C38BD5CF297677D
                            SHA-512:E01227F31652AA6614EE781441D939B6A97A3CD3D1B12D353629DF5BFFF4378EAE2F0FC47D83563CC6BDF97E7192DC12530157AABF8716979B857A92AA3EB339
                            Malicious:false
                            Preview:._..x.8..hP..L.c....C..o.U.E.d.I........J.".k._.:.d....3....>..........F`P .OFFICEINVENTORYAGENTFALLBACK.XML.x86.1033.....>......F`P .OFFICEINVENTORYAGENTLOGON.XML.x86.1033.L.g..4.[......19.8i.hr....Wt.R.<..+..s....u~.N..,J.M,.6I)['"...:O..1.;.....U.7.o....).....h....H...j3.8.....m...R....}...........!...3....I.HH......ld..C....>4......iv...g....$...._...._%.....l...M.(d.....0K.\..3w.+c.K...JBAk..>....I... .t3X.5)k.*..6(.5....W..R....%F.QE.e..b.I.@."../F...d.....B].w.*.X.j..O...c.....F.f...#*....y..@*....S.u...t..h...!..\`.:.:....0}....L.T.u.~..S...L*_.....6<..Z..6#tib........F..*....Ly...(:.f#.TB;.p.....z.<Z.=...1..B.x..9I..d&.#MRz=A{'..2.l.E.....I]|.J....?...i.v.....;.e.............k%....]=..'..3K.;...t:...0..k..-d.4S..l...:;.sG.}m.C.%..w....k..C"}Wl. 4....t...y..l...{.hD...m...q....g%....L..>_....e.].e.n.X....?(V.......k.<(....h.MR.C...WFl.....X.:.l.:........4.$]z.F-....S..2...A.....-?...G@..Jm...cW....&.o...$5..U8.(]r.Q.f@"...Ch...&.X

                            C:\MSOCache\All Users\{90160000-00E1-0409-0000-0000000FF1CE}-C\OSMMUI.msi

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1225018
                            Entropy (8bit):7.102894303731298
                            Encrypted:false
                            SSDEEP:
                            MD5:263C421F6CAEAD08A44513C6ED180AC2
                            SHA1:55D3608DC27A08174EF735F0438DC4BCD1BDF95E
                            SHA-256:C7E3709BD87942686530DA117DC95341D811862C8BC14D2CCAA1906D4AB43812
                            SHA-512:7FEDA6CBE7FB71F7CF7D0E16F3939E4ECF56376DEC8EC0806D6D53A69E1763D48EE432B345CD66554B27B62DF16C1B0D64F85AC5D4C1DE99F20633E641D5C856
                            Malicious:false
                            Preview:|a....,5.@3fS...._.'..}.........vgJ.-..~B....Ge....q................................................................................................................................SQU.......'...;..Q.W.:.,p.....M..CHx].D.....0j4H...f.4n...4]kG.................................................................................................................................SQU.......'...;..Q.W.:.,p.....M..CHx].D.....0j4H...f.4n...4]kG.....................................................................................................................................g-.@,5.@3fS...._.'..}B........wgJ.,..~B....Gu....q....................................................................................................................................g-.@,5.@3fS...._.'..}B........wgJ.,..~B....Gu....q....................................................................................................................................g-.@,5.@3fS...._.'..}B........

                            C:\MSOCache\All Users\{90160000-00E1-0409-0000-0000000FF1CE}-C\OSMMUI.msi.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1225018
                            Entropy (8bit):7.102894303731298
                            Encrypted:false
                            SSDEEP:
                            MD5:263C421F6CAEAD08A44513C6ED180AC2
                            SHA1:55D3608DC27A08174EF735F0438DC4BCD1BDF95E
                            SHA-256:C7E3709BD87942686530DA117DC95341D811862C8BC14D2CCAA1906D4AB43812
                            SHA-512:7FEDA6CBE7FB71F7CF7D0E16F3939E4ECF56376DEC8EC0806D6D53A69E1763D48EE432B345CD66554B27B62DF16C1B0D64F85AC5D4C1DE99F20633E641D5C856
                            Malicious:false
                            Preview:|a....,5.@3fS...._.'..}.........vgJ.-..~B....Ge....q................................................................................................................................SQU.......'...;..Q.W.:.,p.....M..CHx].D.....0j4H...f.4n...4]kG.................................................................................................................................SQU.......'...;..Q.W.:.,p.....M..CHx].D.....0j4H...f.4n...4]kG.....................................................................................................................................g-.@,5.@3fS...._.'..}B........wgJ.,..~B....Gu....q....................................................................................................................................g-.@,5.@3fS...._.'..}B........wgJ.,..~B....Gu....q....................................................................................................................................g-.@,5.@3fS...._.'..}B........

                            C:\MSOCache\All Users\{90160000-00E1-0409-0000-0000000FF1CE}-C\OSMMUI.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1437
                            Entropy (8bit):7.670698281929482
                            Encrypted:false
                            SSDEEP:
                            MD5:2A6D71BD1241AEB9CD00F14F1BA7B547
                            SHA1:E543ADEA8BFB9A2EB473F1CA4F13296F1932BAC3
                            SHA-256:56D2335B6641E124B964EAB0DA684F21F36B0C4B99499BCBABE76ED2FEC4C3C5
                            SHA-512:EC84760536F3559B155C6DC27682EFDE7DE89012F2E4BF0FDEEFAC7526E72E3E904319C8F96904A77C23CCFC273BB49CE0E342430F468BA17B60B5B1BFF8A235
                            Malicious:false
                            Preview:...r.. .....G...msQ...hk'.-w.L...3<.A......|_..+.fb..dMb.......t.3....a..j $...hg...&.P...:R.;...S.^t.....A.l?K@......./.....$..^....d54...S6..}~.`...]&.4...v...t..5...,.+.T......s....,.....<zE..lU?.a'.U...& .u....h.v-.._..^..*-q......j.7....._..l.....6.&.y..R...C../...Y..t..L.i_=k33B.......x.....0..b....m....j]4....M...$N.8...N..FQ......a*..=r.......S..8..........1.4...Abz.gg.4..j}.....S..~C..2..>\t,![&........V........f......<...'Y+.9#.W...%.._...B..r...Z..b.hobI6....+..{..D......ma7...Brl....o...bq.B........&..V..j.y. .b......~.k..D.....)7...%wv.ht.3..n......S..~c.....<W7-..u........s..f..V..F...kfA....G.v..M...Y{._....x.b[....y.gTXp:.......!.._....\....9lS...r...&..U...+].............n..+F06<+c........h.%.....E....ro|.(I+.>?.\....".....R..U-...5A-8>.c.......l..9.....]...nbS...t{s.zh.4...7Q.....R..xt..&.:K*.<.r.........j....\...WXM...sz<.j......k.<...X..Tb....y..6!.;................{....9lS...fv=.$9.X...o<.A.

                            C:\MSOCache\All Users\{90160000-00E1-0409-0000-0000000FF1CE}-C\OSMMUI.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1437
                            Entropy (8bit):7.670698281929482
                            Encrypted:false
                            SSDEEP:
                            MD5:2A6D71BD1241AEB9CD00F14F1BA7B547
                            SHA1:E543ADEA8BFB9A2EB473F1CA4F13296F1932BAC3
                            SHA-256:56D2335B6641E124B964EAB0DA684F21F36B0C4B99499BCBABE76ED2FEC4C3C5
                            SHA-512:EC84760536F3559B155C6DC27682EFDE7DE89012F2E4BF0FDEEFAC7526E72E3E904319C8F96904A77C23CCFC273BB49CE0E342430F468BA17B60B5B1BFF8A235
                            Malicious:false
                            Preview:...r.. .....G...msQ...hk'.-w.L...3<.A......|_..+.fb..dMb.......t.3....a..j $...hg...&.P...:R.;...S.^t.....A.l?K@......./.....$..^....d54...S6..}~.`...]&.4...v...t..5...,.+.T......s....,.....<zE..lU?.a'.U...& .u....h.v-.._..^..*-q......j.7....._..l.....6.&.y..R...C../...Y..t..L.i_=k33B.......x.....0..b....m....j]4....M...$N.8...N..FQ......a*..=r.......S..8..........1.4...Abz.gg.4..j}.....S..~C..2..>\t,![&........V........f......<...'Y+.9#.W...%.._...B..r...Z..b.hobI6....+..{..D......ma7...Brl....o...bq.B........&..V..j.y. .b......~.k..D.....)7...%wv.ht.3..n......S..~c.....<W7-..u........s..f..V..F...kfA....G.v..M...Y{._....x.b[....y.gTXp:.......!.._....\....9lS...r...&..U...+].............n..+F06<+c........h.%.....E....ro|.(I+.>?.\....".....R..U-...5A-8>.c.......l..9.....]...nbS...t{s.zh.4...7Q.....R..xt..&.:K*.<.r.........j....\...WXM...sz<.j......k.<...X..Tb....y..6!.;................{....9lS...fv=.$9.X...o<.A.

                            C:\MSOCache\All Users\{90160000-00E1-0409-0000-0000000FF1CE}-C\Setup.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2352
                            Entropy (8bit):7.773861124298889
                            Encrypted:false
                            SSDEEP:
                            MD5:554849703F06B75087F3824148F66C40
                            SHA1:BB9287BC5AFB40F4B55F6029EB125DD72A991925
                            SHA-256:9350631BA5334C96F63CA0A37D202F42FF5EA3CBE4F94C108E55F0B98870C648
                            SHA-512:DB02A8F78219E56F1CBD66AE6D11E5489DC9B8DD4D048C4A4A634804A1B41772699FC20F867DDCF2C999F4276A479C580CCD317953B3FFC67329F87285765F8C
                            Malicious:false
                            Preview:..#L.1....#z..2y;....k..IM~..~j....&.....#..E..A.A]0:.|...?....j..uu...q+..$..e.)..J.<:=.o...(....^.9d..;.x!-.......-.......</....T.;....I.$ .E.6...W...w....X..oyb.m.Xc[+.......b.#.m.... ...u?0....f.)66C.C~..-...7....Q.>}..s.CN%..*.....aM.-.l..:~..yj+.)..N..=[3.Lc7.z...n.... ..-]..%.H{.$.z....:z............&)+....a..A.h.5fa.b..(....C..;)7.].;k/2.(....4V.%.4.."t..d;..T..:.MYQ..B.7.U...~.....B.ue).4.ii.a........E.0..........2y.....p.]V.e.. p.-...U....>L.e2..c.ij*2.;....nd.!.)..9&...\6=...F....g...0.E..8..p(.9|6.c.to...&.....=....8...pe....?gS.d..r....+..np.I...E...=...q..6.T|.=.#....s..(.=..............v.B..x.^.;.A...m...."..=-x.q.29+5.+.....=..y.V...=3....Y=c.=..f...)b.. p.d...o...1...z\5.u.29'5......=E.3.~...og...|51.,..g....n.\==.........9....tg.@._U0..#.....(A.+.....(z...q5|.)..c....J..6<.....8....1.../Q>.q.dp.9.m.....G).{.,..#g..._*3.&..c..VOO..2'.T...n...?..z0..g.|u.+.-..... O.g.5...!(...u+*.... ...M+..6..Q..

                            C:\MSOCache\All Users\{90160000-00E1-0409-0000-0000000FF1CE}-C\Setup.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2352
                            Entropy (8bit):7.773861124298889
                            Encrypted:false
                            SSDEEP:
                            MD5:554849703F06B75087F3824148F66C40
                            SHA1:BB9287BC5AFB40F4B55F6029EB125DD72A991925
                            SHA-256:9350631BA5334C96F63CA0A37D202F42FF5EA3CBE4F94C108E55F0B98870C648
                            SHA-512:DB02A8F78219E56F1CBD66AE6D11E5489DC9B8DD4D048C4A4A634804A1B41772699FC20F867DDCF2C999F4276A479C580CCD317953B3FFC67329F87285765F8C
                            Malicious:false
                            Preview:..#L.1....#z..2y;....k..IM~..~j....&.....#..E..A.A]0:.|...?....j..uu...q+..$..e.)..J.<:=.o...(....^.9d..;.x!-.......-.......</....T.;....I.$ .E.6...W...w....X..oyb.m.Xc[+.......b.#.m.... ...u?0....f.)66C.C~..-...7....Q.>}..s.CN%..*.....aM.-.l..:~..yj+.)..N..=[3.Lc7.z...n.... ..-]..%.H{.$.z....:z............&)+....a..A.h.5fa.b..(....C..;)7.].;k/2.(....4V.%.4.."t..d;..T..:.MYQ..B.7.U...~.....B.ue).4.ii.a........E.0..........2y.....p.]V.e.. p.-...U....>L.e2..c.ij*2.;....nd.!.)..9&...\6=...F....g...0.E..8..p(.9|6.c.to...&.....=....8...pe....?gS.d..r....+..np.I...E...=...q..6.T|.=.#....s..(.=..............v.B..x.^.;.A...m...."..=-x.q.29+5.+.....=..y.V...=3....Y=c.=..f...)b.. p.d...o...1...z\5.u.29'5......=E.3.~...og...|51.,..g....n.\==.........9....tg.@._U0..#.....(A.+.....(z...q5|.)..c....J..6<.....8....1.../Q>.q.dp.9.m.....G).{.,..#g..._*3.&..c..VOO..2'.T...n...?..z0..g.|u.+.-..... O.g.5...!(...u+*.... ...M+..6..Q..

                            C:\MSOCache\All Users\{90160000-00E1-0409-0000-0000000FF1CE}-C\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\MSOCache\All Users\{90160000-00E2-0409-0000-0000000FF1CE}-C\OSMUXMUI.cab

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):4231015
                            Entropy (8bit):7.999849996429291
                            Encrypted:true
                            SSDEEP:
                            MD5:3956A1335EA7F82C8998E311805B9A5A
                            SHA1:D216DD457EF12EC02EBF0D1E1F87CD4B3884E67E
                            SHA-256:E3FF626C1ED36E66658FC348EBD02FDAEA8EB4D92E13C1AC31CD51F2385AD76C
                            SHA-512:E5673ED7446E84F0E4812D7AB3B344DCA132D882D7DD6AAF15E87A4A5CC3AB3E0F939F39EA0B6C9F437D90E28CA3A09D1038BACD9B2DF288CD1BAE7B890C80DC
                            Malicious:true
                            Preview:8.sy..Z;7.....}..!..v...X..'..o......u,%0@......q.n.)............Z.........FtP .MSOTDINTL.DLL_1033......Z.....FuP .OSMDP32.MSI.x86.1033..P!........FuP .OSMDP64.MSI.x64.1033......JA....FuP u.x0G.h.+.F..2K....Lv.....Q.'..w.......<}..?.....E._........&......F.. .TELEMETRYDASHBOARD.XLTX_1033. ...w.....F.. .TELEMETRYLOG.XLTX_1033.#....E..[.....@............."q..\..w.vw!(.r..w....R..(<.:.q/...a.s.$...l./5...K.J...Z..('...'......i#....._.=b.}...H.U.F....#....+..Y.V...h-..U..&.D..FA.%.......@..hH...........I..*L6J....r..(.......^@...P\..G.5.O...........`../.N...."...5.&..V. ...e..{.e..U{..M...2..g.7..~..$[/..2.X..ph0....P..EP.._b...vM.~.W....[.........0P-@.(.[...........a~.x'.....0} ..?......0.... ....{..7.b..A/..>.. ._..~..;..._.....,.,@U.?....E..]...g.N..}...$8.1X..ecp.N.V......v.DCN..t..>..o.iA....dd\.d.C......]+...(.\.........hF..B...]Z.....L./.*.}..%....n......|..H.O ....j...../.....'...y.1../..W@,=...{..=..%>.....Q..n...<.9.......n.%..-.b....I....aL...Z..

                            C:\MSOCache\All Users\{90160000-00E2-0409-0000-0000000FF1CE}-C\OSMUXMUI.cab.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):4231015
                            Entropy (8bit):7.999849996429291
                            Encrypted:true
                            SSDEEP:
                            MD5:3956A1335EA7F82C8998E311805B9A5A
                            SHA1:D216DD457EF12EC02EBF0D1E1F87CD4B3884E67E
                            SHA-256:E3FF626C1ED36E66658FC348EBD02FDAEA8EB4D92E13C1AC31CD51F2385AD76C
                            SHA-512:E5673ED7446E84F0E4812D7AB3B344DCA132D882D7DD6AAF15E87A4A5CC3AB3E0F939F39EA0B6C9F437D90E28CA3A09D1038BACD9B2DF288CD1BAE7B890C80DC
                            Malicious:true
                            Preview:8.sy..Z;7.....}..!..v...X..'..o......u,%0@......q.n.)............Z.........FtP .MSOTDINTL.DLL_1033......Z.....FuP .OSMDP32.MSI.x86.1033..P!........FuP .OSMDP64.MSI.x64.1033......JA....FuP u.x0G.h.+.F..2K....Lv.....Q.'..w.......<}..?.....E._........&......F.. .TELEMETRYDASHBOARD.XLTX_1033. ...w.....F.. .TELEMETRYLOG.XLTX_1033.#....E..[.....@............."q..\..w.vw!(.r..w....R..(<.:.q/...a.s.$...l./5...K.J...Z..('...'......i#....._.=b.}...H.U.F....#....+..Y.V...h-..U..&.D..FA.%.......@..hH...........I..*L6J....r..(.......^@...P\..G.5.O...........`../.N...."...5.&..V. ...e..{.e..U{..M...2..g.7..~..$[/..2.X..ph0....P..EP.._b...vM.~.W....[.........0P-@.(.[...........a~.x'.....0} ..?......0.... ....{..7.b..A/..>.. ._..~..;..._.....,.,@U.?....E..]...g.N..}...$8.1X..ecp.N.V......v.DCN..t..>..o.iA....dd\.d.C......]+...(.\.........hF..B...]Z.....L./.*.}..%....n......|..H.O ....j...../.....'...y.1../..W@,=...{..=..%>.....Q..n...<.9.......n.%..-.b....I....aL...Z..

                            C:\MSOCache\All Users\{90160000-00E2-0409-0000-0000000FF1CE}-C\OSMUXMUI.msi

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1061178
                            Entropy (8bit):7.090332213948712
                            Encrypted:false
                            SSDEEP:
                            MD5:43B2B47F5853D632524E88D59F7E109E
                            SHA1:9B2C0473E3997C529DD19E8759CFFC880C9BBF58
                            SHA-256:36CD6279CB2A117BEE635D7683D2BDAB0B503BAB5F2D498CC3E777364B796401
                            SHA-512:BB4D3772CA5AF6491ADDF3F68ECEA47D8CF8E2DF4395003D16C32CDC20903ADC6CED285D78B116175419E608E23F44E56B400B627C356AE1EB039FCD5611D768
                            Malicious:false
                            Preview:nv........+.J-...}B.z..'.z....L.....G..d.Nj(,...V.....v...$..................................................................................................................................AF(..CU...p.S..9'...s..T......8&..v...^......{.@....~.....tv................................................................................................................................AF(..CU...p.S..9'...s..T......8&..v...^......{.@....~.....tv...................................................................................................................................{...y...+.J-...}B.z....zS@..J.....G..d.Nk(,...V.....f..}$.....................................................................................................................................{...y...+.J-...}B.z....zS@..J.....G..d.Nk(,...V.....f..}$.....................................................................................................................................{...y...+.J-...}B.z....zS@..J.....G.

                            C:\MSOCache\All Users\{90160000-00E2-0409-0000-0000000FF1CE}-C\OSMUXMUI.msi.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1061178
                            Entropy (8bit):7.090332213948712
                            Encrypted:false
                            SSDEEP:
                            MD5:43B2B47F5853D632524E88D59F7E109E
                            SHA1:9B2C0473E3997C529DD19E8759CFFC880C9BBF58
                            SHA-256:36CD6279CB2A117BEE635D7683D2BDAB0B503BAB5F2D498CC3E777364B796401
                            SHA-512:BB4D3772CA5AF6491ADDF3F68ECEA47D8CF8E2DF4395003D16C32CDC20903ADC6CED285D78B116175419E608E23F44E56B400B627C356AE1EB039FCD5611D768
                            Malicious:false
                            Preview:nv........+.J-...}B.z..'.z....L.....G..d.Nj(,...V.....v...$..................................................................................................................................AF(..CU...p.S..9'...s..T......8&..v...^......{.@....~.....tv................................................................................................................................AF(..CU...p.S..9'...s..T......8&..v...^......{.@....~.....tv...................................................................................................................................{...y...+.J-...}B.z....zS@..J.....G..d.Nk(,...V.....f..}$.....................................................................................................................................{...y...+.J-...}B.z....zS@..J.....G..d.Nk(,...V.....f..}$.....................................................................................................................................{...y...+.J-...}B.z....zS@..J.....G.

                            C:\MSOCache\All Users\{90160000-00E2-0409-0000-0000000FF1CE}-C\OSMUXMUI.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1772
                            Entropy (8bit):7.722875823774118
                            Encrypted:false
                            SSDEEP:
                            MD5:841D1796F2DB38CA3B3234FF0A6460EB
                            SHA1:9BB034250F24037A6AFAC0EB75FBDE0DCFA40EF2
                            SHA-256:1BF82731B5A2FCF7C49D7E00FBF5A28D4FCF795C289BD5C4D632338049D284DF
                            SHA-512:201213236B6992ABA1CECB91AAFCAC5723E5746B02E9C3D173BE06E7318ED65C5386D0FB93CE8491D46331296C77928381E5B242E3661D24D4C619C48049528C
                            Malicious:false
                            Preview:p9q....?...H..m.m.2....I7.............A.....8.O.:......"......?>G&.QF>...K3.....J.#.J?...P.5.;.......iP.....}......,........AA .Z?....t$.$...;...`x...y.t-......._S.....X.............:A^...G1..I......q....Cc...[..;M.....j....2.j.?....1.......yjJ..a8k...t'.7..xs...."...V.=.........o..2.E./............*pdZ..>7...P-...!\Q....|...B.-.).......d^.....B.7....3......8p"/.Q.0...B.|..z%..X.c......VhL.......`...:.F........v......);+#.}Vz...OT....aH.".k....d.).......{.......h.5....b.....a69+..Dn...Y...s. ..[.`..O.{/#.....$R....[.%.D.....j...../rE..S.;...X.|.a.@....I!...J.m@N....*H\..<.6.9.....>......'gn...=4....Y.|.cw..V..`.....y\}....?UF.....B.K...........n)7c.=Hu...S..*.N>.....R&...{.f@?.....%H|.....~......j.....?r4L..Eb..*c.F..Dd...C5..............R]...Z.................ch..F.z.....".&k_....G=...F.yB3....i.$..I.{................)YF..Q.;...F..m.}9...D.C2...W.Vhy......9Y..W.x.7............h}...Di..d..;.a."..X..^.....+........

                            C:\MSOCache\All Users\{90160000-00E2-0409-0000-0000000FF1CE}-C\OSMUXMUI.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1772
                            Entropy (8bit):7.722875823774118
                            Encrypted:false
                            SSDEEP:
                            MD5:841D1796F2DB38CA3B3234FF0A6460EB
                            SHA1:9BB034250F24037A6AFAC0EB75FBDE0DCFA40EF2
                            SHA-256:1BF82731B5A2FCF7C49D7E00FBF5A28D4FCF795C289BD5C4D632338049D284DF
                            SHA-512:201213236B6992ABA1CECB91AAFCAC5723E5746B02E9C3D173BE06E7318ED65C5386D0FB93CE8491D46331296C77928381E5B242E3661D24D4C619C48049528C
                            Malicious:false
                            Preview:p9q....?...H..m.m.2....I7.............A.....8.O.:......"......?>G&.QF>...K3.....J.#.J?...P.5.;.......iP.....}......,........AA .Z?....t$.$...;...`x...y.t-......._S.....X.............:A^...G1..I......q....Cc...[..;M.....j....2.j.?....1.......yjJ..a8k...t'.7..xs...."...V.=.........o..2.E./............*pdZ..>7...P-...!\Q....|...B.-.).......d^.....B.7....3......8p"/.Q.0...B.|..z%..X.c......VhL.......`...:.F........v......);+#.}Vz...OT....aH.".k....d.).......{.......h.5....b.....a69+..Dn...Y...s. ..[.`..O.{/#.....$R....[.%.D.....j...../rE..S.;...X.|.a.@....I!...J.m@N....*H\..<.6.9.....>......'gn...=4....Y.|.cw..V..`.....y\}....?UF.....B.K...........n)7c.=Hu...S..*.N>.....R&...{.f@?.....%H|.....~......j.....?r4L..Eb..*c.F..Dd...C5..............R]...Z.................ch..F.z.....".&k_....G=...F.yB3....i.$..I.{................)YF..Q.;...F..m.}9...D.C2...W.Vhy......9Y..W.x.7............h}...Di..d..;.a."..X..^.....+........

                            C:\MSOCache\All Users\{90160000-00E2-0409-0000-0000000FF1CE}-C\Setup.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2768
                            Entropy (8bit):7.792303720313902
                            Encrypted:false
                            SSDEEP:
                            MD5:A49764E6C7EC8989B492EC5154C00001
                            SHA1:2A22166C3F848344F4438A900879F66CE4190CDE
                            SHA-256:848BC892E604B788B14609AA8C2AF1CF56280330E316003A6EC2A1FA8EE14942
                            SHA-512:55836E0AF971890058237137AFA41DC66E1F3BBFB412EEE8E6D959375D9DCEE04FEE383B133C894A4B03A921FC9D002033310061BC15608A1EB08D2E3E13B4C8
                            Malicious:false
                            Preview:r(.r.". ._..l.1..Vs>;".GSK.Bx>d..+.I}......`......Qb... .6.u.W.@<&.C.0x.P....%&.2&%@.G.0[y6{.p.....]^...f......h5..,.4-R.m.nI..O..M.R..."r.iz,kgD..o=O^.=...2._.. .v........Fx?..5.<4G.W.S.,.t..D.Q....&.49.mJc.-f)?..7.xV..f............x=0..j.,!P.u.`..No.>J. .....qf..+LEC..W.kf.8...%..s.".a.......j.:.....<F.y.g ....0J.a....!_7s,.}^..Ta.D..m..v..dh...K......B2.......m.g.2=....%x.u....3z{..\....^.@>c.}..d>......z.......T....g.9*X.=.I.<.C..?.\....;C.zm.[QX..hw U.$..fI.;0...[........l ......:v.s.fRe9I..w.g.....+r.".OQ..$d9c\.f..&.._M.f.J......o <.. .)'d.".{.6_...f.v.....erws`$4...y#m^.@..f0.\T...A......au]..#.("c.k.v.x_`..c.1.....z<7:,LNI..0h{U.+..-..]U.3.K.......y2....9*r.".{.6_..d../.....xp.)P.m^..x)vv.e..fW.T_.1.[......c6...../{.p.C.6.B.T .v.....e14!.Y|H...>kC.4..+U.<3.M.`......".2....4"r.=.F.#.Y..Q.r..:y39!O.yE..a&mG.k..*...W.f.k......v2...6.`ly.=..zLt%.&r.z....+r.>.}vy..d$ ..l..1..bM.0.........i$...*..,d.q.?R+...-k.r....7r&=?.GNI.Bt/q..Y....

                            C:\MSOCache\All Users\{90160000-00E2-0409-0000-0000000FF1CE}-C\Setup.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2768
                            Entropy (8bit):7.792303720313902
                            Encrypted:false
                            SSDEEP:
                            MD5:A49764E6C7EC8989B492EC5154C00001
                            SHA1:2A22166C3F848344F4438A900879F66CE4190CDE
                            SHA-256:848BC892E604B788B14609AA8C2AF1CF56280330E316003A6EC2A1FA8EE14942
                            SHA-512:55836E0AF971890058237137AFA41DC66E1F3BBFB412EEE8E6D959375D9DCEE04FEE383B133C894A4B03A921FC9D002033310061BC15608A1EB08D2E3E13B4C8
                            Malicious:false
                            Preview:r(.r.". ._..l.1..Vs>;".GSK.Bx>d..+.I}......`......Qb... .6.u.W.@<&.C.0x.P....%&.2&%@.G.0[y6{.p.....]^...f......h5..,.4-R.m.nI..O..M.R..."r.iz,kgD..o=O^.=...2._.. .v........Fx?..5.<4G.W.S.,.t..D.Q....&.49.mJc.-f)?..7.xV..f............x=0..j.,!P.u.`..No.>J. .....qf..+LEC..W.kf.8...%..s.".a.......j.:.....<F.y.g ....0J.a....!_7s,.}^..Ta.D..m..v..dh...K......B2.......m.g.2=....%x.u....3z{..\....^.@>c.}..d>......z.......T....g.9*X.=.I.<.C..?.\....;C.zm.[QX..hw U.$..fI.;0...[........l ......:v.s.fRe9I..w.g.....+r.".OQ..$d9c\.f..&.._M.f.J......o <.. .)'d.".{.6_...f.v.....erws`$4...y#m^.@..f0.\T...A......au]..#.("c.k.v.x_`..c.1.....z<7:,LNI..0h{U.+..-..]U.3.K.......y2....9*r.".{.6_..d../.....xp.)P.m^..x)vv.e..fW.T_.1.[......c6...../{.p.C.6.B.T .v.....e14!.Y|H...>kC.4..+U.<3.M.`......".2....4"r.=.F.#.Y..Q.r..:y39!O.yE..a&mG.k..*...W.f.k......v2...6.`ly.=..zLt%.&r.z....+r.>.}vy..d$ ..l..1..bM.0.........i$...*..,d.q.?R+...-k.r....7r&=?.GNI.Bt/q..Y....

                            C:\MSOCache\All Users\{90160000-00E2-0409-0000-0000000FF1CE}-C\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\OffSetLR.cab

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):16022
                            Entropy (8bit):7.657401062108088
                            Encrypted:false
                            SSDEEP:
                            MD5:ECC9B19A9909C26FAF0B24700E0A4D3E
                            SHA1:2054FADE283708C010BFDD6352B2AEFA6665B558
                            SHA-256:42A5A01CB359E389AC090F62034C80AFC9F0A3510CB0F51710AF31D6F8CDDCF8
                            SHA-512:363FABC9A9F7210B1094262D7DC3EC09993DC98899E5DED2DB00782025CA42733772DDCD3588858B6C4D6C45C6536F691AE36C6A45BDF5DABE4BC8EEC80C8BC2
                            Malicious:false
                            Preview:(67.)(s...".10..;......"...1..O.s.A.DIc......mR).QRq..OgC.'0^...*.H........=.0.=....1.0...+......0...+.....7....q0o0J..+.....7....<.......$f.....`..(1&0$..+.....7...1....X4...T......bz.GQ^UU. .v:..8.14..Wt.).Yz.@.....H.w...jQ.S....u.....PPs..OgC.......N.....q0...*.H........0w1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1!0...U....Micros....}A.t..C.A.J......1....9<..&..).X.ryU%....]AN...@..Fa@...p.US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....MOPR1'0%..U....nCipher DSE ESN:B8EC-30A4-714QTQ...pD..>.XSh..Trl.T.F.ZyP.do..c#.',S......dX...|..NbC...l.0.............o!6(.f3:f..[K...(4JC2.....=.%.{>b..}..tS..c.t..$..P.....{.9...<D~......#..e8....)..:../h..4N}o..n....a%.&p.t}.....|Y(..+!a.b..3..B*....X..9|.0..R.v.Le.=!..<..B#U..m..)F`..pL.E.~....W.:..u.&..iP.:...T8.9.2...~...%.A.a&..7~\....7..$.N...#..........0...0...U........#....V.3.A.l..6..0...U.#..0..qW...!W..Jb"G..>.!..0.. ...5.$..:..H..

                            C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\OffSetLR.cab.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):16022
                            Entropy (8bit):7.657401062108088
                            Encrypted:false
                            SSDEEP:
                            MD5:ECC9B19A9909C26FAF0B24700E0A4D3E
                            SHA1:2054FADE283708C010BFDD6352B2AEFA6665B558
                            SHA-256:42A5A01CB359E389AC090F62034C80AFC9F0A3510CB0F51710AF31D6F8CDDCF8
                            SHA-512:363FABC9A9F7210B1094262D7DC3EC09993DC98899E5DED2DB00782025CA42733772DDCD3588858B6C4D6C45C6536F691AE36C6A45BDF5DABE4BC8EEC80C8BC2
                            Malicious:false
                            Preview:(67.)(s...".10..;......"...1..O.s.A.DIc......mR).QRq..OgC.'0^...*.H........=.0.=....1.0...+......0...+.....7....q0o0J..+.....7....<.......$f.....`..(1&0$..+.....7...1....X4...T......bz.GQ^UU. .v:..8.14..Wt.).Yz.@.....H.w...jQ.S....u.....PPs..OgC.......N.....q0...*.H........0w1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1!0...U....Micros....}A.t..C.A.J......1....9<..&..).X.ryU%....]AN...@..Fa@...p.US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....MOPR1'0%..U....nCipher DSE ESN:B8EC-30A4-714QTQ...pD..>.XSh..Trl.T.F.ZyP.do..c#.',S......dX...|..NbC...l.0.............o!6(.f3:f..[K...(4JC2.....=.%.{>b..}..tS..c.t..$..P.....{.9...<D~......#..e8....)..:../h..4N}o..n....a%.&p.t}.....|Y(..+!a.b..3..B*....X..9|.0..R.v.Le.=!..<..B#U..m..)F`..pL.E.~....W.:..u.&..iP.:...T8.9.2...~...%.A.a&..7~\....7..$.N...#..........0...0...U........#....V.3.A.l..6..0...U.#..0..qW...!W..Jb"G..>.!..0.. ...5.$..:..H..

                            C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):11707180
                            Entropy (8bit):7.999929160484784
                            Encrypted:true
                            SSDEEP:
                            MD5:F7AB892AAF20A0C5E9F286ACF4799A65
                            SHA1:1C0B4F9ED588C4787EA67C3645580846182ED6B7
                            SHA-256:7CAAC93DB90E177306595A536E60FE90A7EFAAC21959B97902B4574902E845DE
                            SHA-512:0808527D3374365D4CE2E80DC69BB22C95DEF514AFC0FB5A7F857C56498F9D2043206BCEAA3CCEC665CDEFAA964A512C0A3162E87000F6419642758348F89B14
                            Malicious:true
                            Preview:w...G.`..........2$....YR....aX.~$.)..7.@....l....p.....).......;.....T.;.C...h}R......E}................F.R .ACEINTL.DLL_1033............F.R .ACEODBCI.DLL_1033............F.R .ACEWSTR.Dv...w.S...=..|....Kt$......`.,/.).]N...v.!......)......R..-.|..TINTL.DLL_1033..*..W.,....F.S .BHOINTL.DLL.x86.1033..>....-....F.P .BRANDING.DLL_1033..!...Z-....Fn. .BRANDING.XML_1033..0...|2.:.).ZN@.~.vP..@A.P.~{...mb./.5.Z.....)..a..IP...>./.[#FO.C.q.LL_1033..... .5....F.S .CLVWINTL.DLL_1033.>9...57....F.O .COLLECTSIGNATURES_INIT.XSN_1033.{:..Nn7....F.O .COLLECTSIGNATURES_SIGN.....,P..........2.......RO.6vM:s...."'w.iPBZ.l..)Q..9.N.b..OTS.XML_1033.."..<.7....F.. .DATES.XML_1033.F.....7....F.. .DESKTOP.INI_0001_1033.....X.7....F.. .DW20.ADM_1033....ji8....F.S .~....QR...hH..$=.K.......\h.&..a.Dm..l.Uh..$....<.S.A1XF.C.i.SN_1033..Q..IN:....F.O .EADOCUMENTAPPROVAL_REVIEW.XSN_1033.....J.:....F.O .EAWFINTL.DLL_1033.`..."l;....F.. .EEINTL.DLL_1033..b.:W..G.`<{.w$..ZY.@.bm......2E.-.3N....

                            C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):11707180
                            Entropy (8bit):7.999929160484784
                            Encrypted:true
                            SSDEEP:
                            MD5:F7AB892AAF20A0C5E9F286ACF4799A65
                            SHA1:1C0B4F9ED588C4787EA67C3645580846182ED6B7
                            SHA-256:7CAAC93DB90E177306595A536E60FE90A7EFAAC21959B97902B4574902E845DE
                            SHA-512:0808527D3374365D4CE2E80DC69BB22C95DEF514AFC0FB5A7F857C56498F9D2043206BCEAA3CCEC665CDEFAA964A512C0A3162E87000F6419642758348F89B14
                            Malicious:true
                            Preview:w...G.`..........2$....YR....aX.~$.)..7.@....l....p.....).......;.....T.;.C...h}R......E}................F.R .ACEINTL.DLL_1033............F.R .ACEODBCI.DLL_1033............F.R .ACEWSTR.Dv...w.S...=..|....Kt$......`.,/.).]N...v.!......)......R..-.|..TINTL.DLL_1033..*..W.,....F.S .BHOINTL.DLL.x86.1033..>....-....F.P .BRANDING.DLL_1033..!...Z-....Fn. .BRANDING.XML_1033..0...|2.:.).ZN@.~.vP..@A.P.~{...mb./.5.Z.....)..a..IP...>./.[#FO.C.q.LL_1033..... .5....F.S .CLVWINTL.DLL_1033.>9...57....F.O .COLLECTSIGNATURES_INIT.XSN_1033.{:..Nn7....F.O .COLLECTSIGNATURES_SIGN.....,P..........2.......RO.6vM:s...."'w.iPBZ.l..)Q..9.N.b..OTS.XML_1033.."..<.7....F.. .DATES.XML_1033.F.....7....F.. .DESKTOP.INI_0001_1033.....X.7....F.. .DW20.ADM_1033....ji8....F.S .~....QR...hH..$=.K.......\h.&..a.Dm..l.Uh..$....<.S.A1XF.C.i.SN_1033..Q..IN:....F.O .EADOCUMENTAPPROVAL_REVIEW.XSN_1033.....J.:....F.O .EAWFINTL.DLL_1033.`..."l;....F.. .EEINTL.DLL_1033..b.:W..G.`<{.w$..ZY.@.bm......2E.-.3N....

                            C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):4038970
                            Entropy (8bit):6.8294170022362515
                            Encrypted:false
                            SSDEEP:
                            MD5:BC2CBE66FB676BF64A3150E14AF1B8E0
                            SHA1:5A259C27F7B0EF29A88E4BE54CE0475A3D6B8665
                            SHA-256:C46BF830E483CB6737431AD1C207C00ECC686882E725E5C7AC531DA75ECD767F
                            SHA-512:B44EEB00EC4FA198F6B7888C780984A9E692A5032A1BF16632C9F078EF121B348120893EABC8DF80B24D8EA079F6F85CB74D9B696B7B44ADC6F7E6D85E36C498
                            Malicious:false
                            Preview:.2..]-$.kD{.qti...r..R......j...c.4.........n].w.._^.v..8...P.....................................................................................................................................:&.......L.d.m....i3/.j..O....aB6........y..f....i..O.K4......................................................................................................................................:&.......L.d.m....i3/.j..O....aB6........y..f....i..O.K4.................................................................................................................................4u#<x.7..kD{.qti...r..R.2........c.4.........n].w.._^.v..8...P................................................................................................................................4u#<x.7..kD{.qti...r..R.2........c.4.........n].w.._^.v..8...P................................................................................................................................4u#<x.7..kD{.qti...r..R.2........c.4....

                            C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):4038970
                            Entropy (8bit):6.8294170022362515
                            Encrypted:false
                            SSDEEP:
                            MD5:BC2CBE66FB676BF64A3150E14AF1B8E0
                            SHA1:5A259C27F7B0EF29A88E4BE54CE0475A3D6B8665
                            SHA-256:C46BF830E483CB6737431AD1C207C00ECC686882E725E5C7AC531DA75ECD767F
                            SHA-512:B44EEB00EC4FA198F6B7888C780984A9E692A5032A1BF16632C9F078EF121B348120893EABC8DF80B24D8EA079F6F85CB74D9B696B7B44ADC6F7E6D85E36C498
                            Malicious:false
                            Preview:.2..]-$.kD{.qti...r..R......j...c.4.........n].w.._^.v..8...P.....................................................................................................................................:&.......L.d.m....i3/.j..O....aB6........y..f....i..O.K4......................................................................................................................................:&.......L.d.m....i3/.j..O....aB6........y..f....i..O.K4.................................................................................................................................4u#<x.7..kD{.qti...r..R.2........c.4.........n].w.._^.v..8...P................................................................................................................................4u#<x.7..kD{.qti...r..R.2........c.4.........n].w.._^.v..8...P................................................................................................................................4u#<x.7..kD{.qti...r..R.2........c.4....

                            C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):5589
                            Entropy (8bit):6.919472407566059
                            Encrypted:false
                            SSDEEP:
                            MD5:7FAB860C33826B12A8C22D26C983A34B
                            SHA1:53C297CD227E1AE67E44B34B42B6273AB1AA5F11
                            SHA-256:8F0A06BF0BDB1F5925C92D1D189D9575D8DBE9CDC2F869C17DEE0DA967F42BE6
                            SHA-512:9E626D9BEAA175536B636A769A87B088DF159A9AF7F29189EBD5FF9F8D8AD790771A2BE1129BFEFA89BFEA1AFCF91B5E33EBA4FA6B8470E80372E17B356F394F
                            Malicious:false
                            Preview:hA.P..h.l.jA.2..j..T~.F..qfqp....4...........#oxJIO.....x..i/sTJEGbFgKGLXH1+2WuNiOFsXgPS63Wcb5BuCBHp/sAPMqpE9pA8sxnHZhNuLciEtDEnm6mYGhDB5a7pt2EIv+SiR3wvfjqUo1/ZHnsOl/JMTh9Mqecs9cA9UlE6b2oij'.....q.l.:~.......`w.b..,R.d....!............ceHv?.;..m[.2eJrbJl4GSgjYQS5SUOJpbhoXkYMxAAvg/MCCCr2BbtlLtbI9uCY5bckPzEbL50rIcJ/zQ+kB7zWJs9tlEJxfYXdoBY+O6M4fN3TP4Ej4C2Qq0FB6/qqpq4YyoIC2SJw3+w......P.v.Dg.j......ky.@..",alm...m...........SWzW'.W..._g.eZepe="MSI" Path="OfficeMUI.MSI" Version="1.0" ProductCode="{90160000-006E-0409-0000-0000000FF1CE}" MSIVersion="16.0.4266.1001" Pro0..I..p.k.dK.-..w..a|.]..mlqp.M.p2.....M...$..^.=J.....d{..astFilesIntl_1033" Cost="5930204">....<OptionRef Id="ProductFiles"/>...</Feature>...<Feature Id="GraphicsFiltersGIFFilesIntl_1033"t=.N..<.'.;..-..N..~`.@..Md*r)..pK.....K...5..IsV\4......*.O. /Feature>...<Feature Id="ProductFilesIntl_1033" Cost="2405539">....<OptionRef Id="ProductFiles"/>...</Feature>...<Feature Id="Gr5..T..X.r.f\.X....BY.]...1.aBU.=.....

                            C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):5589
                            Entropy (8bit):6.919472407566059
                            Encrypted:false
                            SSDEEP:
                            MD5:7FAB860C33826B12A8C22D26C983A34B
                            SHA1:53C297CD227E1AE67E44B34B42B6273AB1AA5F11
                            SHA-256:8F0A06BF0BDB1F5925C92D1D189D9575D8DBE9CDC2F869C17DEE0DA967F42BE6
                            SHA-512:9E626D9BEAA175536B636A769A87B088DF159A9AF7F29189EBD5FF9F8D8AD790771A2BE1129BFEFA89BFEA1AFCF91B5E33EBA4FA6B8470E80372E17B356F394F
                            Malicious:false
                            Preview:hA.P..h.l.jA.2..j..T~.F..qfqp....4...........#oxJIO.....x..i/sTJEGbFgKGLXH1+2WuNiOFsXgPS63Wcb5BuCBHp/sAPMqpE9pA8sxnHZhNuLciEtDEnm6mYGhDB5a7pt2EIv+SiR3wvfjqUo1/ZHnsOl/JMTh9Mqecs9cA9UlE6b2oij'.....q.l.:~.......`w.b..,R.d....!............ceHv?.;..m[.2eJrbJl4GSgjYQS5SUOJpbhoXkYMxAAvg/MCCCr2BbtlLtbI9uCY5bckPzEbL50rIcJ/zQ+kB7zWJs9tlEJxfYXdoBY+O6M4fN3TP4Ej4C2Qq0FB6/qqpq4YyoIC2SJw3+w......P.v.Dg.j......ky.@..",alm...m...........SWzW'.W..._g.eZepe="MSI" Path="OfficeMUI.MSI" Version="1.0" ProductCode="{90160000-006E-0409-0000-0000000FF1CE}" MSIVersion="16.0.4266.1001" Pro0..I..p.k.dK.-..w..a|.]..mlqp.M.p2.....M...$..^.=J.....d{..astFilesIntl_1033" Cost="5930204">....<OptionRef Id="ProductFiles"/>...</Feature>...<Feature Id="GraphicsFiltersGIFFilesIntl_1033"t=.N..<.'.;..-..N..~`.@..Md*r)..pK.....K...5..IsV\4......*.O. /Feature>...<Feature Id="ProductFilesIntl_1033" Cost="2405539">....<OptionRef Id="ProductFiles"/>...</Feature>...<Feature Id="Gr5..T..X.r.f\.X....BY.]...1.aBU.=.....

                            C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1061178
                            Entropy (8bit):7.090129344291015
                            Encrypted:false
                            SSDEEP:
                            MD5:C427BF57F3717A0EE895AC63A3904721
                            SHA1:517F8B346734C4F83E94E31217BD310F269FB3C4
                            SHA-256:05385C8074F058A7D31BC3E94E6FA1C43821157343488652A92A77EA84FE725D
                            SHA-512:7A85DF1463B6E9BDD2ADC3B0C1A70CECCF0727E1065A9B6807A43491A8B70B49A7406FA4F7BD7E32FA51BD45B57DFB143B8C45C63FC6FC8D8AB7ECB966B08E04
                            Malicious:false
                            Preview:89C{.t....a....Uf.:...i..$.)w...E....`.$/.&..C.&.}..q.\.......8....................................................................................................................................d]:.x..}hZ..)..4...W...v..!..Ud........p...,......Kh.55...A...................................................................................................................................d]:.x..}hZ..)..4...W...v..!..Ud........p...,......Kh.55...A..................................................................................................................................R....w..a....Uf.:...i..$.)....C....`.$..&..C.&.}..q.\.......8...................................................................................................................................R....w..a....Uf.:...i..$.)....C....`.$..&..C.&.}..q.\.......8...................................................................................................................................R....w..a....Uf.:...i..$.)....C....`.$

                            C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1061178
                            Entropy (8bit):7.090129344291015
                            Encrypted:false
                            SSDEEP:
                            MD5:C427BF57F3717A0EE895AC63A3904721
                            SHA1:517F8B346734C4F83E94E31217BD310F269FB3C4
                            SHA-256:05385C8074F058A7D31BC3E94E6FA1C43821157343488652A92A77EA84FE725D
                            SHA-512:7A85DF1463B6E9BDD2ADC3B0C1A70CECCF0727E1065A9B6807A43491A8B70B49A7406FA4F7BD7E32FA51BD45B57DFB143B8C45C63FC6FC8D8AB7ECB966B08E04
                            Malicious:false
                            Preview:89C{.t....a....Uf.:...i..$.)w...E....`.$/.&..C.&.}..q.\.......8....................................................................................................................................d]:.x..}hZ..)..4...W...v..!..Ud........p...,......Kh.55...A...................................................................................................................................d]:.x..}hZ..)..4...W...v..!..Ud........p...,......Kh.55...A..................................................................................................................................R....w..a....Uf.:...i..$.)....C....`.$..&..C.&.}..q.\.......8...................................................................................................................................R....w..a....Uf.:...i..$.)....C....`.$..&..C.&.}..q.\.......8...................................................................................................................................R....w..a....Uf.:...i..$.)....C....`.$

                            C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1346
                            Entropy (8bit):7.643183338790877
                            Encrypted:false
                            SSDEEP:
                            MD5:36B8EA10A7B59F865E8DE4620DFBC4BF
                            SHA1:20CC2C55B2E5AD3D50955A29D0573B65920AFEF8
                            SHA-256:487142465318D9B563C9993FCD7450E22D14BE9D29467D7917E6A2723E293B5F
                            SHA-512:099218DC5BDAF4F594C627995908482670F8A695E6BEFE9169BCA06B0D1E2FD4D6CB40794197287255045F9356DDAAC7F874CB53686CAA602AACBEADE117F1D0
                            Malicious:false
                            Preview:.........>.,..c=e.s9.D.......9}.... ..A..g..E......IC:P...b.1.O..t.......v..1j't#-.H......m....\..z.A%..K....6 .<a....y...V..6......%.$I.6_.Y<-(H....)B....O.....r.3:.....=T `....O. .f.s.....:....8&:t.doL.....z.....j.....O...(_E.^....v...E..1.....>..]..W%G.61C....<9....X..z.E<.+x......a%U...I.-.N..7.......*y..@8e.hy@.......&M....s........P......aY+....\.3...........ii.._2@..9.......A.....t....x..hG.....!n?w....7.'...3......u..Q.:.wc5:)D.....bD...I..8.^$.h9.....,.C.q......v....u......f.w..f#l.clp.......|O....b....x..8{....oB.\<....4.d............,W.3t0.qmp........*f..g..i.<@.vN....;Tn./...o...K./.....$....d+w.^VI.........l...."..'.P3..f....;..C,....5.1.S.&.....2.6E.73.Hn~.T....... l....t....b).:m.....E._!....i.i....N.....#.-^.7uue7abf.......?}....{..u.;C.eN....;J*f....n.&...~.......,D.=.9I!.)K.....84....=..A.8v.:|....8Tn./...{.'.I."....i.H9.}U0M')2B.......-}...V.i.X'./W....?.C(s....Y.'....a.......6Y.<A0Js.$.........g....q..*

                            C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1346
                            Entropy (8bit):7.643183338790877
                            Encrypted:false
                            SSDEEP:
                            MD5:36B8EA10A7B59F865E8DE4620DFBC4BF
                            SHA1:20CC2C55B2E5AD3D50955A29D0573B65920AFEF8
                            SHA-256:487142465318D9B563C9993FCD7450E22D14BE9D29467D7917E6A2723E293B5F
                            SHA-512:099218DC5BDAF4F594C627995908482670F8A695E6BEFE9169BCA06B0D1E2FD4D6CB40794197287255045F9356DDAAC7F874CB53686CAA602AACBEADE117F1D0
                            Malicious:false
                            Preview:.........>.,..c=e.s9.D.......9}.... ..A..g..E......IC:P...b.1.O..t.......v..1j't#-.H......m....\..z.A%..K....6 .<a....y...V..6......%.$I.6_.Y<-(H....)B....O.....r.3:.....=T `....O. .f.s.....:....8&:t.doL.....z.....j.....O...(_E.^....v...E..1.....>..]..W%G.61C....<9....X..z.E<.+x......a%U...I.-.N..7.......*y..@8e.hy@.......&M....s........P......aY+....\.3...........ii.._2@..9.......A.....t....x..hG.....!n?w....7.'...3......u..Q.:.wc5:)D.....bD...I..8.^$.h9.....,.C.q......v....u......f.w..f#l.clp.......|O....b....x..8{....oB.\<....4.d............,W.3t0.qmp........*f..g..i.<@.vN....;Tn./...o...K./.....$....d+w.^VI.........l...."..'.P3..f....;..C,....5.1.S.&.....2.6E.73.Hn~.T....... l....t....b).:m.....E._!....i.i....N.....#.-^.7uue7abf.......?}....{..u.;C.eN....;J*f....n.&...~.......,D.=.9I!.)K.....84....=..A.8v.:|....8Tn./...{.'.I."....i.H9.}U0M')2B.......-}...V.i.X'./W....?.C(s....Y.'....a.......6Y.<A0Js.$.........g....q..*

                            C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\Setup.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):8797
                            Entropy (8bit):6.865904269431518
                            Encrypted:false
                            SSDEEP:
                            MD5:E94FA19B04AF7D21F6377DD64CBB723E
                            SHA1:258F018D93C9BD24520D13A05A8943EACA642C5D
                            SHA-256:995CDACCE7C5B8C9AFD27A110E1CBC5EABBC645C2812D49B03901A3B385550C7
                            SHA-512:C1641DF512F86E7D73C5D85BECAFCF853A3361311ADA6B80721AE4A82559BC08A259031CA61101FA76B81734398865FCBE62951E6B40334E3CF03706CFE95C8F
                            Malicious:false
                            Preview:....../..v]..E=...*.`G...3.0.P.D...........F...".<.@...Q......308KnyaD5F5OLN6q9+XGxWTmG4ZRuP7x1R1g6C1b/v2M51I98l0NZUmAMEWYlgiWaTlLNthiLAF4VPxWl+VciXeVUniTaGKudipFx6l3VomQ//Iw0Jju9tFdL7RP0tFPB.z.....N.Cb.KLgw].x.sO.#.bh .}....=.....qtP.f.X...8.7.e...... /3vXtdcKvVm8ktWj2M2+NL9rUGXiZlyyaVrKGP17ChCeY1oZevvPynPvuJn7qiVgPFZ42nG6TKSILxBO4v4aqWKTg2gWgcBmTU0qi6gS52pOhxKnkHuM94dNwjsKVXmQ.p....J..S.'.rsT.o.d....5.z.L.:.x.E.....h..2.....P...".....5ddOn" Keyword="OfficeMUI" Culture="en-us">...<Option Id="AlwaysInstalled" DefaultState="Local" DisallowAbsent="yes" DisallowAdve.@..{..v..Y.{GZ.5.|L...d.]+N.@.B.......GJt...........c.......aultState="Local" DisallowAbsent="yes" DisallowAdvertise="yes" Hidden="yes"/>...<Option Id="ProductFiles" DefaultState="Local" D.G.....9.vQ.eE=ZZ.*.A@...6. c..U._.U.....*..R.8.....^.f.......les" DefaultState="Local" DisallowAbsent="no" DisallowAdvertise="no" Hidden="yes">.....<OptionDependency Lead="ACCESSFiles"/>....=...0..AQ.t.{FQ.q.IL...x..a7.v.G.....

                            C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):8797
                            Entropy (8bit):6.865904269431518
                            Encrypted:false
                            SSDEEP:
                            MD5:E94FA19B04AF7D21F6377DD64CBB723E
                            SHA1:258F018D93C9BD24520D13A05A8943EACA642C5D
                            SHA-256:995CDACCE7C5B8C9AFD27A110E1CBC5EABBC645C2812D49B03901A3B385550C7
                            SHA-512:C1641DF512F86E7D73C5D85BECAFCF853A3361311ADA6B80721AE4A82559BC08A259031CA61101FA76B81734398865FCBE62951E6B40334E3CF03706CFE95C8F
                            Malicious:false
                            Preview:....../..v]..E=...*.`G...3.0.P.D...........F...".<.@...Q......308KnyaD5F5OLN6q9+XGxWTmG4ZRuP7x1R1g6C1b/v2M51I98l0NZUmAMEWYlgiWaTlLNthiLAF4VPxWl+VciXeVUniTaGKudipFx6l3VomQ//Iw0Jju9tFdL7RP0tFPB.z.....N.Cb.KLgw].x.sO.#.bh .}....=.....qtP.f.X...8.7.e...... /3vXtdcKvVm8ktWj2M2+NL9rUGXiZlyyaVrKGP17ChCeY1oZevvPynPvuJn7qiVgPFZ42nG6TKSILxBO4v4aqWKTg2gWgcBmTU0qi6gS52pOhxKnkHuM94dNwjsKVXmQ.p....J..S.'.rsT.o.d....5.z.L.:.x.E.....h..2.....P...".....5ddOn" Keyword="OfficeMUI" Culture="en-us">...<Option Id="AlwaysInstalled" DefaultState="Local" DisallowAbsent="yes" DisallowAdve.@..{..v..Y.{GZ.5.|L...d.]+N.@.B.......GJt...........c.......aultState="Local" DisallowAbsent="yes" DisallowAdvertise="yes" Hidden="yes"/>...<Option Id="ProductFiles" DefaultState="Local" D.G.....9.vQ.eE=ZZ.*.A@...6. c..U._.U.....*..R.8.....^.f.......les" DefaultState="Local" DisallowAbsent="no" DisallowAdvertise="no" Hidden="yes">.....<OptionDependency Lead="ACCESSFiles"/>....=...0..AQ.t.{FQ.q.IL...x..a7.v.G.....

                            C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):11066
                            Entropy (8bit):7.025176124237603
                            Encrypted:false
                            SSDEEP:
                            MD5:DB3A4F68EA44507C7587FF1AB2D24EAE
                            SHA1:CD0821E802F69C0A79B16D85C1EE697489709DFE
                            SHA-256:D17232E69BCB4EB72C371F7C40F095657FE56FDEF117EF896161B678090A7E34
                            SHA-512:98141D1CC8D851071702435CE04B03305BA811F7CDF7AA7912734A8DDCE5D7C8ABF49C998F02E75A7512FFA2AEC8EBCC040FA6502393E187AF36829EAE2A8D76
                            Malicious:false
                            Preview:u._%...I..<...1H|.-.....Ph.D_..m...^mkz.`.......G.....e.q.$.................................................................................................................................Z.:.E.W*..zX....o.T$..!...E_ye.O.........{x.ny.J...NB?/.j.K.9................................................................................................................................Z.:.E.W*..zX....o.T$..!...E_ye.O.........{x.ny.J...NB?/.j.K.9.................................................................................................................................!N.......<.Y....o.T$..!...E_ye.O.........{x.ny.J...NB?/.j.K.9................................................................................................................................Z.:.E.W*..zX....o.T$..!...E_ye.O.........{x.ny.J...NB?/.j.K.9................................................................................................................................Z.:.E.W*..zX....o.T$..!...E_ye.O......

                            C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):11066
                            Entropy (8bit):7.025176124237603
                            Encrypted:false
                            SSDEEP:
                            MD5:DB3A4F68EA44507C7587FF1AB2D24EAE
                            SHA1:CD0821E802F69C0A79B16D85C1EE697489709DFE
                            SHA-256:D17232E69BCB4EB72C371F7C40F095657FE56FDEF117EF896161B678090A7E34
                            SHA-512:98141D1CC8D851071702435CE04B03305BA811F7CDF7AA7912734A8DDCE5D7C8ABF49C998F02E75A7512FFA2AEC8EBCC040FA6502393E187AF36829EAE2A8D76
                            Malicious:false
                            Preview:u._%...I..<...1H|.-.....Ph.D_..m...^mkz.`.......G.....e.q.$.................................................................................................................................Z.:.E.W*..zX....o.T$..!...E_ye.O.........{x.ny.J...NB?/.j.K.9................................................................................................................................Z.:.E.W*..zX....o.T$..!...E_ye.O.........{x.ny.J...NB?/.j.K.9.................................................................................................................................!N.......<.Y....o.T$..!...E_ye.O.........{x.ny.J...NB?/.j.K.9................................................................................................................................Z.:.E.W*..zX....o.T$..!...E_ye.O.........{x.ny.J...NB?/.j.K.9................................................................................................................................Z.:.E.W*..zX....o.T$..!...E_ye.O......

                            C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\branding.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):336627
                            Entropy (8bit):6.462878030147217
                            Encrypted:false
                            SSDEEP:
                            MD5:CF940A5D3A759E93FAFDBCD571CB1F5A
                            SHA1:86F33AF9B94ED73690CC5EAE2CAD6E60B93F38CE
                            SHA-256:569A260BFA226E34DC1053E60DCFA24D960255FCD6983FF38B620DAD41FD6A3C
                            SHA-512:BB820F8FF04C4F813A78C74C26C69EC467C0492D787CDCB1A01E2796E538CD612920590576CB291BEBA88CEB3A101C5169353C54F207088341A00C97827DCBAE
                            Malicious:false
                            Preview:.K.n:4.-8B?.i.GYD..h."V.R?.~...:-.w...<...=\..~|:....?o.` _lcid="1033" _version="16.0.4266.1001"-->.. _MODULUS=XfxW6ZGfCD7EP5TOWKQwg3Q+bf3PRjmAoEl15kGzHVLOTmuOiMA+o98ZWtcQGlXvwOQ...ygLq8s.0.H."./..p..p..i..3...FF...r..."...yK...o3....%:.'grZu5xTobevP0EApD6h2qmviOufZa+eJ/oRWV7nk=-->.. _SIG=SJHfDDurnfvVKrSCvGpR3iebgBUnxsQy7CV/SbKgzNvV1HmSZTNpcGPTs892p7s82+WqcMKTP.;.N=Cb.<D..3.QX...x.+..C:.1....sh..)2..s...(m..ux#.....gf.STF94jQ8UEYtztSpeSBnqa8sCs5kJPpJFJs=-->..<SKUID>... Brand Records -->...<Brand id="SUITE_DEFAULT">....<ProductName value="[Pr...`"Zh%/lt.9.oac..:.(@.u0.&..."y...e..A.#.'\..]x12......X.9uiteName value="Part of [ProductName]"/>....<AppName value="[AppName]"/>....<AppNameVersion value="[AppNameVersion]"/>...</Brand.y..jV{)$Uv.c.G):.....t.os.N...p`...t..t.:.>J...N.....\0..]"/>....<ProductNameBrand value="[ProductName]"/>....<AppName value="[AppName]"/>....<AppNameVersion value="[AppNameVersion]"/>..}.,.fh&..[...'....h.(...n.......N-.p.

                            C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\branding.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):336627
                            Entropy (8bit):6.462878030147217
                            Encrypted:false
                            SSDEEP:
                            MD5:CF940A5D3A759E93FAFDBCD571CB1F5A
                            SHA1:86F33AF9B94ED73690CC5EAE2CAD6E60B93F38CE
                            SHA-256:569A260BFA226E34DC1053E60DCFA24D960255FCD6983FF38B620DAD41FD6A3C
                            SHA-512:BB820F8FF04C4F813A78C74C26C69EC467C0492D787CDCB1A01E2796E538CD612920590576CB291BEBA88CEB3A101C5169353C54F207088341A00C97827DCBAE
                            Malicious:false
                            Preview:.K.n:4.-8B?.i.GYD..h."V.R?.~...:-.w...<...=\..~|:....?o.` _lcid="1033" _version="16.0.4266.1001"-->.. _MODULUS=XfxW6ZGfCD7EP5TOWKQwg3Q+bf3PRjmAoEl15kGzHVLOTmuOiMA+o98ZWtcQGlXvwOQ...ygLq8s.0.H."./..p..p..i..3...FF...r..."...yK...o3....%:.'grZu5xTobevP0EApD6h2qmviOufZa+eJ/oRWV7nk=-->.. _SIG=SJHfDDurnfvVKrSCvGpR3iebgBUnxsQy7CV/SbKgzNvV1HmSZTNpcGPTs892p7s82+WqcMKTP.;.N=Cb.<D..3.QX...x.+..C:.1....sh..)2..s...(m..ux#.....gf.STF94jQ8UEYtztSpeSBnqa8sCs5kJPpJFJs=-->..<SKUID>... Brand Records -->...<Brand id="SUITE_DEFAULT">....<ProductName value="[Pr...`"Zh%/lt.9.oac..:.(@.u0.&..."y...e..A.#.'\..]x12......X.9uiteName value="Part of [ProductName]"/>....<AppName value="[AppName]"/>....<AppNameVersion value="[AppNameVersion]"/>...</Brand.y..jV{)$Uv.c.G):.....t.os.N...p`...t..t.:.>J...N.....\0..]"/>....<ProductNameBrand value="[ProductName]"/>....<AppName value="[AppName]"/>....<AppNameVersion value="[AppNameVersion]"/>..}.,.fh&..[...'....h.(...n.......N-.p.

                            C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):207866
                            Entropy (8bit):5.6275030812070135
                            Encrypted:false
                            SSDEEP:
                            MD5:29B10F694951624901953C8D5BC8A7A5
                            SHA1:352657662283AECDE9125BB1273FABC154234D13
                            SHA-256:5C8A93C5C2948B43FDD4BA132D62E90F626C437D4A05E7BC0A3235328FEFC36E
                            SHA-512:3DC527394A440E3C6BAB50301867D6D099682CAF6F0FA5EADBA0569E43D46D062A04BCFCB1C367F333B5F0D10BED88B7F6B16963E026A59D4DD1E72420D2D22B
                            Malicious:false
                            Preview:[..>..O...2...&..fg.5...Q..Jm..Qa....P...g...;nX...JZ................!..L.!This program cannot be run in DOS mode....$.........=..OS..OS..OS.?.S..OS.?....OS.?.Q..OS.Rich.OS..................K.>..O.Y.2..k$....V5......J...pj....P...d...;nX...JJ.....X............................0......>\....@......................... ...5............ .. ............................................K.>..O...2..j&.)fg.5......Jm..Qa....P...g...;nX...JZ.....X....rdata..............................@..@.rsrc... .... ......................@..@.................................................K.>..O...2..j&.)fg.5......Jm..Qa....P...g...;nX...JZ.....X....................................................................................................................................K.>..O...2..j&.)fg.5......Jm..Qa....P...g...;nX...JZ.....X....................................................................................................................................K.>..O...2..j&.)fg.5......Jm..Qa....P.

                            C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):207866
                            Entropy (8bit):5.6275030812070135
                            Encrypted:false
                            SSDEEP:
                            MD5:29B10F694951624901953C8D5BC8A7A5
                            SHA1:352657662283AECDE9125BB1273FABC154234D13
                            SHA-256:5C8A93C5C2948B43FDD4BA132D62E90F626C437D4A05E7BC0A3235328FEFC36E
                            SHA-512:3DC527394A440E3C6BAB50301867D6D099682CAF6F0FA5EADBA0569E43D46D062A04BCFCB1C367F333B5F0D10BED88B7F6B16963E026A59D4DD1E72420D2D22B
                            Malicious:false
                            Preview:[..>..O...2...&..fg.5...Q..Jm..Qa....P...g...;nX...JZ................!..L.!This program cannot be run in DOS mode....$.........=..OS..OS..OS.?.S..OS.?....OS.?.Q..OS.Rich.OS..................K.>..O.Y.2..k$....V5......J...pj....P...d...;nX...JJ.....X............................0......>\....@......................... ...5............ .. ............................................K.>..O...2..j&.)fg.5......Jm..Qa....P...g...;nX...JZ.....X....rdata..............................@..@.rsrc... .... ......................@..@.................................................K.>..O...2..j&.)fg.5......Jm..Qa....P...g...;nX...JZ.....X....................................................................................................................................K.>..O...2..j&.)fg.5......Jm..Qa....P...g...;nX...JZ.....X....................................................................................................................................K.>..O...2..j&.)fg.5......Jm..Qa....P.

                            C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):14912
                            Entropy (8bit):6.036845327990593
                            Encrypted:false
                            SSDEEP:
                            MD5:BD6E5FAFC00806FA5B6EF83BF2948D27
                            SHA1:33365AB7E3ECB626A1B9E5C8E149B7C07A0850C5
                            SHA-256:F59DC50E123EFD766F6B7FFAB1ADBF4D935138AA533B6D6B774E2EB4F162EFEE
                            SHA-512:B72E2234149E73A6ACC416C19D9A33EC6DEED3FB47B3B21CAEA28C0E5D914937623B95AABB501340C08C891D6EBA3DF14A46AA65BCA123BE9A840C902252CA98
                            Malicious:false
                            Preview:....D..O)..|.+.r#.5.......5'.......o.{..E\....C&[Hf.|U..U8ABP..........x.......T........................9..............ITSP....T...........................................j..].!......."..T....[W@.z.q?..f.>.RG.....w.J.rF1....C...g...,..4.'....q..?.q..P.../#IVB...A../#STRINGS....u./#SYSTEM....2./#TOPICS...M../#URLSTR...i!./#URLTBL...]../#WINDOWS...u.L./content/..../content/bluedro6...!.....S.D...03..z.....9.....v...j..;e...A.4'..;.9D7T4'%..gif..y.2./content/blueup_ZA79005000.gif..\8./content/collapsetri.gif..+O./content/contentCHM.css..H.-./content/expandtri.gif..zMQ...).v!=....h...?7..8..........&.....mVR..b.bf..3.M.G.n!?..ent/TopPageIcon_ZA010077668.gif...J.::DataSpace/NameList..<(::DataSpace/Storage/MSCompressed/Content..8.R,::DataSpace/Storage/MS....5.`<,..?.E...2...w.S.s..... ..0..<...x..8%..;.>.1..21..nfo.b./::DataSpace/Storage/MSCompressed/Transform/List.<&_::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00...v.*.~.S.E...0$..w...z.I..........!

                            C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):14912
                            Entropy (8bit):6.036845327990593
                            Encrypted:false
                            SSDEEP:
                            MD5:BD6E5FAFC00806FA5B6EF83BF2948D27
                            SHA1:33365AB7E3ECB626A1B9E5C8E149B7C07A0850C5
                            SHA-256:F59DC50E123EFD766F6B7FFAB1ADBF4D935138AA533B6D6B774E2EB4F162EFEE
                            SHA-512:B72E2234149E73A6ACC416C19D9A33EC6DEED3FB47B3B21CAEA28C0E5D914937623B95AABB501340C08C891D6EBA3DF14A46AA65BCA123BE9A840C902252CA98
                            Malicious:false
                            Preview:....D..O)..|.+.r#.5.......5'.......o.{..E\....C&[Hf.|U..U8ABP..........x.......T........................9..............ITSP....T...........................................j..].!......."..T....[W@.z.q?..f.>.RG.....w.J.rF1....C...g...,..4.'....q..?.q..P.../#IVB...A../#STRINGS....u./#SYSTEM....2./#TOPICS...M../#URLSTR...i!./#URLTBL...]../#WINDOWS...u.L./content/..../content/bluedro6...!.....S.D...03..z.....9.....v...j..;e...A.4'..;.9D7T4'%..gif..y.2./content/blueup_ZA79005000.gif..\8./content/collapsetri.gif..+O./content/contentCHM.css..H.-./content/expandtri.gif..zMQ...).v!=....h...?7..8..........&.....mVR..b.bf..3.M.G.n!?..ent/TopPageIcon_ZA010077668.gif...J.::DataSpace/NameList..<(::DataSpace/Storage/MSCompressed/Content..8.R,::DataSpace/Storage/MS....5.`<,..?.E...2...w.S.s..... ..0..<...x..8%..;.>.1..21..nfo.b./::DataSpace/Storage/MSCompressed/Transform/List.<&_::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00...v.*.~.S.E...0$..w...z.I..........!

                            C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\setup.chm

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):83104
                            Entropy (8bit):7.884681544644526
                            Encrypted:false
                            SSDEEP:
                            MD5:3CC4F9BDBA76850565DFC4C3F95FEEE3
                            SHA1:37F0A83F8BD11D35A413D8A4A8114F5D53A8FF50
                            SHA-256:3309F47CA9DFA3A12FF22D35A7986BCDA4881829E37B1A3022CD7A5017379F9F
                            SHA-512:F236AF15C1F4AD129BEA535F12B6646658B37ECCE6A7E98C25BE9ABD76A80BB0579B538F6585903D020939C7F12334F0C3A32BC0DC575627CE31BAEC282937AC
                            Malicious:false
                            Preview:.VO.HBQ..I..6M...>.. M6...qaq(K.z..)J...G.e.{.dM..:R.s...z.bI..........x.......T.......................fC..............ITSP....T...........................................j..].!......."..T...D..*...]..JZg..R!.a.)$M6...4....Y.H.`%'...Q.R../.j....C..3D1I.../#IVB...p.l./#STRINGS....._./#SYSTEM..~.6./#TOCIDX......./#TOPICS......./#URLSTR...Q.;./#URLTBL.....@./#WINDOWS...$.L./$FIftiMa.l..KK~.5...y......y.1b.D1E~.e.3...>.$cj......Z.......i'..y.,..nks/Property...`../$WWKeywordLinks/..../$WWKeywordLinks/Property...\../html/..../html/04c0cef4-74bb-43cd-884b-cd90edbda25a.htm...C..em9..%.../.x*.V..ByU>R3:.'.l.ER,..nb...!.d.[....T....Ux.$..08dfd601-217a-4ab4-8d68-3b5ecde74935.htm...M.../html/0e0933b5-434d-4b03-816e-bc809eae4ced.htm...g.../html/3e3c0798-bd90-45b4-913./,.yza.H....~.vn.`c.!..=Ily.f.o.EO~.Y3)..x.4.B....kx..).p..acc.htm...:.../html/5cbadb23-102e-4650-8ac4-a863ba086e2a.htm...O.K./html/63bf2244-445f-4ed0-bccc-2f98c36810aa.htm.....R./html/85.`).. |..-...~.|7.X.../R'.2n.n.l..Q ....

                            C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\setup.chm.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):83104
                            Entropy (8bit):7.884681544644526
                            Encrypted:false
                            SSDEEP:
                            MD5:3CC4F9BDBA76850565DFC4C3F95FEEE3
                            SHA1:37F0A83F8BD11D35A413D8A4A8114F5D53A8FF50
                            SHA-256:3309F47CA9DFA3A12FF22D35A7986BCDA4881829E37B1A3022CD7A5017379F9F
                            SHA-512:F236AF15C1F4AD129BEA535F12B6646658B37ECCE6A7E98C25BE9ABD76A80BB0579B538F6585903D020939C7F12334F0C3A32BC0DC575627CE31BAEC282937AC
                            Malicious:false
                            Preview:.VO.HBQ..I..6M...>.. M6...qaq(K.z..)J...G.e.{.dM..:R.s...z.bI..........x.......T.......................fC..............ITSP....T...........................................j..].!......."..T...D..*...]..JZg..R!.a.)$M6...4....Y.H.`%'...Q.R../.j....C..3D1I.../#IVB...p.l./#STRINGS....._./#SYSTEM..~.6./#TOCIDX......./#TOPICS......./#URLSTR...Q.;./#URLTBL.....@./#WINDOWS...$.L./$FIftiMa.l..KK~.5...y......y.1b.D1E~.e.3...>.$cj......Z.......i'..y.,..nks/Property...`../$WWKeywordLinks/..../$WWKeywordLinks/Property...\../html/..../html/04c0cef4-74bb-43cd-884b-cd90edbda25a.htm...C..em9..%.../.x*.V..ByU>R3:.'.l.ER,..nb...!.d.[....T....Ux.$..08dfd601-217a-4ab4-8d68-3b5ecde74935.htm...M.../html/0e0933b5-434d-4b03-816e-bc809eae4ced.htm...g.../html/3e3c0798-bd90-45b4-913./,.yza.H....~.vn.`c.!..=Ily.f.o.EO~.Y3)..x.4.B....kx..).p..acc.htm...:.../html/5cbadb23-102e-4650-8ac4-a863ba086e2a.htm...O.K./html/63bf2244-445f-4ed0-bccc-2f98c36810aa.htm.....R./html/85.`).. |..-...~.|7.X.../R'.2n.n.l..Q ....

                            C:\MSOCache\All Users\{90160000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2060771
                            Entropy (8bit):7.998563295265718
                            Encrypted:true
                            SSDEEP:
                            MD5:5C192AEEA9BDA1BE86C924E41BB0645E
                            SHA1:91D0B6B431E7554D34CC5EB5AA945FE06C2BE4F8
                            SHA-256:7FD69B936CA8E9F17908A743AAC6375DDA5C937C8FAD4E908254EF145F348999
                            SHA-512:0F8EA31863A2D19524198BA4B142CB92F897D72102D6C03DD4BCB939E1307085F66339080FE2292E829B5BC74719C98DCB764467D0D1BAE8E3F046AAD164B4FF
                            Malicious:true
                            Preview:..A+.g.+.....'O.Iw0PiO..'.]1...e......iV.KH.9GH..)4..v..z.M..}....*.........FwO .BHOINTL.DLL.x64.1033.....*.....FwO .GROOVEINTLRESOURCE.DLL.x64.1033.."..`......FxO .LYNC.LYNCDESKTOPRESOUR....)S.S.....`.OTAU.PiOY.^.}?..mK...\.:h..7.AQA.........z.E.....FxO .LYNC.OCHELPRESOURCE.DLL.x64.1033.....X7.....FxO .LYNC.OCPUBRES.DLL.x64.1033......(.....FxO .LYNC.UCADDINRES.DLL.x64.1033.z..+{.B...U..hoT..~.G...g..m...j).... .Yu..cg;g%..)4..0..Zf.H\ISHELLR.DLL.x64.1033.T...h......F.. .MSOEXAMPLEAINTL.TXT.x64.1033.T..........F.. .MSOEXAMPLEBINTL.TXT.x64.1033.>..........F.. .O...Dn.).....f...#v.%...e.sg...VS....=..J..5.gu.Go3..v..</.LENVENTORYAGENTLOGON.XML.x64.1033..>..D......F.. .OREGRES.DLL.MUI.x64.1033.}...v*..[..... ......D..?......I...........B.QT..-......=.#......D...}.r.\|....O]g...p.P..V.Z......I..w_...Y...b.KK..X`.c[...0.`..:.....A...u3F....0..aK.n.Q.]9v**G....H.Z..../.........%.f........H....."}>....^..y~..6.^^rrs.....{.....bj<.,E...?.*....k......._.u...v.`.>.[.

                            C:\MSOCache\All Users\{90160000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2060771
                            Entropy (8bit):7.998563295265718
                            Encrypted:true
                            SSDEEP:
                            MD5:5C192AEEA9BDA1BE86C924E41BB0645E
                            SHA1:91D0B6B431E7554D34CC5EB5AA945FE06C2BE4F8
                            SHA-256:7FD69B936CA8E9F17908A743AAC6375DDA5C937C8FAD4E908254EF145F348999
                            SHA-512:0F8EA31863A2D19524198BA4B142CB92F897D72102D6C03DD4BCB939E1307085F66339080FE2292E829B5BC74719C98DCB764467D0D1BAE8E3F046AAD164B4FF
                            Malicious:true
                            Preview:..A+.g.+.....'O.Iw0PiO..'.]1...e......iV.KH.9GH..)4..v..z.M..}....*.........FwO .BHOINTL.DLL.x64.1033.....*.....FwO .GROOVEINTLRESOURCE.DLL.x64.1033.."..`......FxO .LYNC.LYNCDESKTOPRESOUR....)S.S.....`.OTAU.PiOY.^.}?..mK...\.:h..7.AQA.........z.E.....FxO .LYNC.OCHELPRESOURCE.DLL.x64.1033.....X7.....FxO .LYNC.OCPUBRES.DLL.x64.1033......(.....FxO .LYNC.UCADDINRES.DLL.x64.1033.z..+{.B...U..hoT..~.G...g..m...j).... .Yu..cg;g%..)4..0..Zf.H\ISHELLR.DLL.x64.1033.T...h......F.. .MSOEXAMPLEAINTL.TXT.x64.1033.T..........F.. .MSOEXAMPLEBINTL.TXT.x64.1033.>..........F.. .O...Dn.).....f...#v.%...e.sg...VS....=..J..5.gu.Go3..v..</.LENVENTORYAGENTLOGON.XML.x64.1033..>..D......F.. .OREGRES.DLL.MUI.x64.1033.}...v*..[..... ......D..?......I...........B.QT..-......=.#......D...}.r.\|....O]g...p.P..V.Z......I..w_...Y...b.KK..X`.c[...0.`..:.....A...u3F....0..aK.n.Q.]9v**G....H.Z..../.........%.f........H....."}>....^..y~..6.^^rrs.....{.....bj<.,E...?.*....k......._.u...v.`.>.[.

                            C:\MSOCache\All Users\{90160000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1225018
                            Entropy (8bit):7.097517733641261
                            Encrypted:false
                            SSDEEP:
                            MD5:E349F1919DB433685236B21A6603E58D
                            SHA1:4C0D7079042565FAD95ED57C9EC37476103E2604
                            SHA-256:07BDEC18415BB17739FEE64238F6B6058FE02B154527C0A3279365C24A29F215
                            SHA-512:313AB301032281A1FA212165F7CD44B5F37709D428CD3A5399724F633F68F77D66367D5703E2710B0445B9219778795E8E5C405C6F85AAC6E59998BB37C989B8
                            Malicious:false
                            Preview:...b{qI8.fy.jh..|.Z}4$...V.c... .W.L..t=...F.*~..?.^..J..................................................................................................................................%..}%?.&/Q...!1o.......Fv..A.0_.M.].(.O.....f.>.&f...*..8/[................................................................................................................................%..}%?.&/Q...!1o.......Fv..A.0_.M.].(.O.....f.>.&f...*..8/[.................................................................................................................................X....S..fy.jh..|.Z}4$#..V.~.c... .W.M..t<...G.*~..?.N..H...................................................................................................................................X....S..fy.jh..|.Z}4$#..V.~.c... .W.M..t<...G.*~..?.N..H...................................................................................................................................X....S..fy.jh..|.Z}4$#..V.~.c... .W.

                            C:\MSOCache\All Users\{90160000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1225018
                            Entropy (8bit):7.097517733641261
                            Encrypted:false
                            SSDEEP:
                            MD5:E349F1919DB433685236B21A6603E58D
                            SHA1:4C0D7079042565FAD95ED57C9EC37476103E2604
                            SHA-256:07BDEC18415BB17739FEE64238F6B6058FE02B154527C0A3279365C24A29F215
                            SHA-512:313AB301032281A1FA212165F7CD44B5F37709D428CD3A5399724F633F68F77D66367D5703E2710B0445B9219778795E8E5C405C6F85AAC6E59998BB37C989B8
                            Malicious:false
                            Preview:...b{qI8.fy.jh..|.Z}4$...V.c... .W.L..t=...F.*~..?.^..J..................................................................................................................................%..}%?.&/Q...!1o.......Fv..A.0_.M.].(.O.....f.>.&f...*..8/[................................................................................................................................%..}%?.&/Q...!1o.......Fv..A.0_.M.].(.O.....f.>.&f...*..8/[.................................................................................................................................X....S..fy.jh..|.Z}4$#..V.~.c... .W.M..t<...G.*~..?.N..H...................................................................................................................................X....S..fy.jh..|.Z}4$#..V.~.c... .W.M..t<...G.*~..?.N..H...................................................................................................................................X....S..fy.jh..|.Z}4$#..V.~.c... .W.

                            C:\MSOCache\All Users\{90160000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:OpenPGP Public Key
                            Category:dropped
                            Size (bytes):2224
                            Entropy (8bit):7.783592669531095
                            Encrypted:false
                            SSDEEP:
                            MD5:2B19863016C9599319CC7CE11098215B
                            SHA1:332CF1D58248CBB09589D1C0640382BFDB770C07
                            SHA-256:22B0B7DAD1EAD1D1878A24751F995E8200414228AF906DF963A8962549BC414C
                            SHA-512:D7AD83EDD13CD3180140982BF7AC5A4183436E5C73D9844C11EE383F66BCE00BABE1811C53744FDE2D8050A38291EAE3B3D37073D8EF668240837DE40F900F77
                            Malicious:false
                            Preview:...M.....G.Vi0....}. ..T..L............).`..`.p?>X..."M..F.(|..Y......XK;...2-............z.j....1....].S..Q... H..d..~...!l.....].rfC....7...L...B.....y.y....y....g.T.!`.).Z..d..C..."N....p..oW...(/&..J....G......#...%......FA(r..|,..r..x...&q.....r.ZC|..4(...k....&.....Z.A...R....j.`;.`...2i..G..d...s...\..LU...i....z...$.....V.j....8.#..A.h.@~..1.r..#.=y.........R.U>u....)....X...\..P..R.E....A.p.I.L..=..>.-..9.......E.....ify...99,......._....e.\...5.|....u..o...l..)......P........79....oou......A..k..N.....m.>..A..B]%.._v5..%.O.....O.....U.^rl....nov.........7.K.........[.W.KB..I.e..w.:W....E....r.Ub~..3.t.........x...#...G.9..A.@.KB..I.L..G..C..O.....r.Xsx....UVy..Z....Q..g..J.M...{.y..[.zB[8..K.l..).L....X...=.vwy....:9e..........6....g....'.@....c.....z...(..N.........G.pi{...+. ..N..E..........g.9.....KI5..bM?..`..A...@i.....Y.rR@...paH.........?.9.....}.(.K..<...../5..q..L....L....Z.UX<......*......E.x.9.'...

                            C:\MSOCache\All Users\{90160000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:OpenPGP Public Key
                            Category:dropped
                            Size (bytes):2224
                            Entropy (8bit):7.783592669531095
                            Encrypted:false
                            SSDEEP:
                            MD5:2B19863016C9599319CC7CE11098215B
                            SHA1:332CF1D58248CBB09589D1C0640382BFDB770C07
                            SHA-256:22B0B7DAD1EAD1D1878A24751F995E8200414228AF906DF963A8962549BC414C
                            SHA-512:D7AD83EDD13CD3180140982BF7AC5A4183436E5C73D9844C11EE383F66BCE00BABE1811C53744FDE2D8050A38291EAE3B3D37073D8EF668240837DE40F900F77
                            Malicious:false
                            Preview:...M.....G.Vi0....}. ..T..L............).`..`.p?>X..."M..F.(|..Y......XK;...2-............z.j....1....].S..Q... H..d..~...!l.....].rfC....7...L...B.....y.y....y....g.T.!`.).Z..d..C..."N....p..oW...(/&..J....G......#...%......FA(r..|,..r..x...&q.....r.ZC|..4(...k....&.....Z.A...R....j.`;.`...2i..G..d...s...\..LU...i....z...$.....V.j....8.#..A.h.@~..1.r..#.=y.........R.U>u....)....X...\..P..R.E....A.p.I.L..=..>.-..9.......E.....ify...99,......._....e.\...5.|....u..o...l..)......P........79....oou......A..k..N.....m.>..A..B]%.._v5..%.O.....O.....U.^rl....nov.........7.K.........[.W.KB..I.e..w.:W....E....r.Ub~..3.t.........x...#...G.9..A.@.KB..I.L..G..C..O.....r.Xsx....UVy..Z....Q..g..J.M...{.y..[.zB[8..K.l..).L....X...=.vwy....:9e..........6....g....'.@....c.....z...(..N.........G.pi{...+. ..N..E..........g.9.....KI5..bM?..`..A...@i.....Y.rR@...paH.........?.9.....}.(.K..<...../5..q..L....L....Z.UX<......*......E.x.9.'...

                            C:\MSOCache\All Users\{90160000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1061178
                            Entropy (8bit):7.082416104073383
                            Encrypted:false
                            SSDEEP:
                            MD5:3EE82AAFA319E14C05F553DE44A57BB7
                            SHA1:0DB25FEBAFE204DDD21478EFDD855172F12BAB1B
                            SHA-256:7FA229A95160E67E46189CD1049665B5CA0497B0FDFAD0FE0991B05F8D8AF4CA
                            SHA-512:62B8BC403CACD2F64A44E6C96952654AA98F49A22B29ED9FB2C5EEB5CCA74320D007629BD8618D09F82A1E7D5193C2B7FDD6AAD27C6FE3306633E7B5C44EAF00
                            Malicious:false
                            Preview:.6.u.!`M.......v.hD........E.ca.QPR6..v[..z=.2.aT.J.c.,.q..v?..................................................................................................................................&j.o.SSn._:.a..0K+6A;[...E6..C...."9...U...Y.Q........\.z{....................................................................................................................................&j.o.SSn._:.a..0K+6A;[...E6..C...."9...U...Y.Q........\.z{..................................................................................................................................>..I.z........v.hD......i..cg.QPR6..w[..{=.3.aT.J.c.<.q..v?................................................................................................................................>..I.z........v.hD......i..cg.QPR6..w[..{=.3.aT.J.c.<.q..v?................................................................................................................................>..I.z........v.hD......i..cg.QPR6..

                            C:\MSOCache\All Users\{90160000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1061178
                            Entropy (8bit):7.082416104073383
                            Encrypted:false
                            SSDEEP:
                            MD5:3EE82AAFA319E14C05F553DE44A57BB7
                            SHA1:0DB25FEBAFE204DDD21478EFDD855172F12BAB1B
                            SHA-256:7FA229A95160E67E46189CD1049665B5CA0497B0FDFAD0FE0991B05F8D8AF4CA
                            SHA-512:62B8BC403CACD2F64A44E6C96952654AA98F49A22B29ED9FB2C5EEB5CCA74320D007629BD8618D09F82A1E7D5193C2B7FDD6AAD27C6FE3306633E7B5C44EAF00
                            Malicious:false
                            Preview:.6.u.!`M.......v.hD........E.ca.QPR6..v[..z=.2.aT.J.c.,.q..v?..................................................................................................................................&j.o.SSn._:.a..0K+6A;[...E6..C...."9...U...Y.Q........\.z{....................................................................................................................................&j.o.SSn._:.a..0K+6A;[...E6..C...."9...U...Y.Q........\.z{..................................................................................................................................>..I.z........v.hD......i..cg.QPR6..w[..{=.3.aT.J.c.<.q..v?................................................................................................................................>..I.z........v.hD......i..cg.QPR6..w[..{=.3.aT.J.c.<.q..v?................................................................................................................................>..I.z........v.hD......i..cg.QPR6..

                            C:\MSOCache\All Users\{90160000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1350
                            Entropy (8bit):7.615891014007978
                            Encrypted:false
                            SSDEEP:
                            MD5:23A0F506FA5B6C99BE76272AF174A04C
                            SHA1:F56A79FE6E8E3A04B75A2A86B0E55A2DDB7B65A3
                            SHA-256:331F7903DA3774987745EA49F77716A9040D47CE1DEFF3D3A0D2D4A1218548B7
                            SHA-512:5793FCA3B29DBACA9AA190AFB680212829C76ED9BA14EF67579BA9EF68BEEFBBD1F3A25C85DC3310C3FB4F9B0AA8874A3492E69B99B3D17ACAA3FFEE85CE1E5D
                            Malicious:false
                            Preview:...p.a-<..V......,."2.....e....+.P.[8y.>..G.[..?../..<.........r..p8!1.\2....!i.w...4..a.=..Z'.Lk.b.l.{...+......"......H.E."........\R.....o....W....@<.Tn.}.`.{$..BH.1...1......K..Y%.M.H...._yrw.........+.L.o.R.2b.Q.)..7.!cM.'..6.....M..O<x..c....r]..+.........1.3.,L..GP.N.".31..z......)......x..\!{-.WN...tWO)9....5..H.F.<F0.e{.,.`.!1.w+|.<.........(..].....8...S{D2:....u...V....R..VY.:.r. ..p&a...........I..rul+.p]....O3..:........r.?.,.S.zO.q.z.kB.v0..".........f..&~~V..R...>.we.....h...6.4.Tv6.=..K.B.;..)|..a...T....-..7.<..L.....@{I 9.....z....r.....Q.)..&...u5.'fY.5..B......p..~$+...<.....:..~........h...E|..=|.o.m....2s@.5..m.....|..e-pk.0C....R|Mg.........j...5T..~Z.k.w.9...|X.....B....?..)EDo..0...I\M!|.../..h....Y..=......f5.'fY.5...\......x..sul5.M.....S|G+0.....+...u.O.Q.K.!0...(.9..)|~.6..B......T..c)"..]]...2..9....U....c....PS.{.._.y.,,.(VI.1..........i..'jpk.0v...NaF.9........Y....X.

                            C:\MSOCache\All Users\{90160000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1350
                            Entropy (8bit):7.615891014007978
                            Encrypted:false
                            SSDEEP:
                            MD5:23A0F506FA5B6C99BE76272AF174A04C
                            SHA1:F56A79FE6E8E3A04B75A2A86B0E55A2DDB7B65A3
                            SHA-256:331F7903DA3774987745EA49F77716A9040D47CE1DEFF3D3A0D2D4A1218548B7
                            SHA-512:5793FCA3B29DBACA9AA190AFB680212829C76ED9BA14EF67579BA9EF68BEEFBBD1F3A25C85DC3310C3FB4F9B0AA8874A3492E69B99B3D17ACAA3FFEE85CE1E5D
                            Malicious:false
                            Preview:...p.a-<..V......,."2.....e....+.P.[8y.>..G.[..?../..<.........r..p8!1.\2....!i.w...4..a.=..Z'.Lk.b.l.{...+......"......H.E."........\R.....o....W....@<.Tn.}.`.{$..BH.1...1......K..Y%.M.H...._yrw.........+.L.o.R.2b.Q.)..7.!cM.'..6.....M..O<x..c....r]..+.........1.3.,L..GP.N.".31..z......)......x..\!{-.WN...tWO)9....5..H.F.<F0.e{.,.`.!1.w+|.<.........(..].....8...S{D2:....u...V....R..VY.:.r. ..p&a...........I..rul+.p]....O3..:........r.?.,.S.zO.q.z.kB.v0..".........f..&~~V..R...>.we.....h...6.4.Tv6.=..K.B.;..)|..a...T....-..7.<..L.....@{I 9.....z....r.....Q.)..&...u5.'fY.5..B......p..~$+...<.....:..~........h...E|..=|.o.m....2s@.5..m.....|..e-pk.0C....R|Mg.........j...5T..~Z.k.w.9...|X.....B....?..)EDo..0...I\M!|.../..h....Y..=......f5.'fY.5...\......x..sul5.M.....S|G+0.....+...u.O.Q.K.!0...(.9..)|~.6..B......T..c)"..]]...2..9....U....c....PS.{.._.y.,,.(VI.1..........i..'jpk.0v...NaF.9........Y....X.

                            C:\MSOCache\All Users\{90160000-0116-0409-1000-0000000FF1CE}-C\Setup.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):3436
                            Entropy (8bit):7.83401426424333
                            Encrypted:false
                            SSDEEP:
                            MD5:2D9CDB8BBBFC0A3923184250BBBD96C3
                            SHA1:28D9F4C7E3E2628E84F682EBDDD92F051B038812
                            SHA-256:95422BBB82B38FB7419212E606B471F760C15AB80A5335E7CF6959E4075447BC
                            SHA-512:2BEAD1D80DA9B1F5B2958B0983E766B58ED3EBCC25D49FC5C4D05AD752A5AA769150B0C0C99A3C95DA27AA6D4F68187ADCD2D6DB8A0E4A66AEBAAA3391432679
                            Malicious:false
                            Preview:.3!...2RK..O....i..u..-..wSG.v>.x..[..s...`!"?.1.L....Ga}.....9....tPH..n..F\...8?.....KQ..y....z......e<$_9.>.j....1EgBb.%...T......_.5m..oa=...;.=...w{+.49./.}].*.../4$..7.p... N[f1.%.$.a#..X#QU..M..ds..$......(CU.T..x..i..X..p.7(M.!.O....:K\..?.%.i...vr[T..f..||6.....$...(U..Y..;.z...1.F;+?7.T.U.....2eMb.?...H=..e(_M.0...VQp.... ...GH.l....C...M..w.*.). .\....&~.c...&.h...\.|......]L(..l*.....$.W..@...]..0..........-......*...?.L.M=..]f.r..W..S.e..3..+...L}X.@?.!.[......Z>\Q}.m.V....\AAo.....u*..@0VU..D.sL!..9..:..$.6.`+.w.m.....X.......;....K8aV3.#...h/..G-D\.PY.......1..s...j.U..@.i.Y......Kp\(....F.....fA..;.S.H<..F(Cj..T...e(..9^....uX..B(.0.]Y.............n.....aV7.m....y..W RW.PY....y..\@.>..w.3.>h.'.M...?.J>\O4...l......m.p. ....y..@%[U..a..RG3..,..l...jU..l=.1.L.......#.MN.n.......f...r.6.c6..u-[\.D...CEe..0..;...mU..>h.:.E.....A9\O4...u.....mK&.m...,...R([V.3D..E]...h^.+..Q]..f$.w.L...t..&DB ....w.....mK1.o...hd.A+XO.4I..D.e..Xv.G...i@..mt._. X...

                            C:\MSOCache\All Users\{90160000-0116-0409-1000-0000000FF1CE}-C\Setup.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):3436
                            Entropy (8bit):7.83401426424333
                            Encrypted:false
                            SSDEEP:
                            MD5:2D9CDB8BBBFC0A3923184250BBBD96C3
                            SHA1:28D9F4C7E3E2628E84F682EBDDD92F051B038812
                            SHA-256:95422BBB82B38FB7419212E606B471F760C15AB80A5335E7CF6959E4075447BC
                            SHA-512:2BEAD1D80DA9B1F5B2958B0983E766B58ED3EBCC25D49FC5C4D05AD752A5AA769150B0C0C99A3C95DA27AA6D4F68187ADCD2D6DB8A0E4A66AEBAAA3391432679
                            Malicious:false
                            Preview:.3!...2RK..O....i..u..-..wSG.v>.x..[..s...`!"?.1.L....Ga}.....9....tPH..n..F\...8?.....KQ..y....z......e<$_9.>.j....1EgBb.%...T......_.5m..oa=...;.=...w{+.49./.}].*.../4$..7.p... N[f1.%.$.a#..X#QU..M..ds..$......(CU.T..x..i..X..p.7(M.!.O....:K\..?.%.i...vr[T..f..||6.....$...(U..Y..;.z...1.F;+?7.T.U.....2eMb.?...H=..e(_M.0...VQp.... ...GH.l....C...M..w.*.). .\....&~.c...&.h...\.|......]L(..l*.....$.W..@...]..0..........-......*...?.L.M=..]f.r..W..S.e..3..+...L}X.@?.!.[......Z>\Q}.m.V....\AAo.....u*..@0VU..D.sL!..9..:..$.6.`+.w.m.....X.......;....K8aV3.#...h/..G-D\.PY.......1..s...j.U..@.i.Y......Kp\(....F.....fA..;.S.H<..F(Cj..T...e(..9^....uX..B(.0.]Y.............n.....aV7.m....y..W RW.PY....y..\@.>..w.3.>h.'.M...?.J>\O4...l......m.p. ....y..@%[U..a..RG3..,..l...jU..l=.1.L.......#.MN.n.......f...r.6.c6..u-[\.D...CEe..0..;...mU..>h.:.E.....A9\O4...u.....mK&.m...,...R([V.3D..E]...h^.+..Q]..f$.w.L...t..&DB ....w.....mK1.o...hd.A+XO.4I..D.e..Xv.G...i@..mt._. X...

                            C:\MSOCache\All Users\{90160000-0116-0409-1000-0000000FF1CE}-C\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\MSOCache\All Users\{90160000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1061178
                            Entropy (8bit):7.093995271366247
                            Encrypted:false
                            SSDEEP:
                            MD5:61C4047D50B304502F2ACDD1F461AEA5
                            SHA1:52254D0903FDE5DDD733994220EBDE4898A5512D
                            SHA-256:3C8EEB75613DFFC25253EBE2BFE361A4ADDEBD4B860970A1A97280BE77D5F09C
                            SHA-512:F30F5FCFFB9CDC4663BB91BC73D728DD7899713DD599D27958E1E23AD87DB18965EAF2291A0A824D30E847EA6D93F70774B89ED1D99BCF168F6393094CC0538A
                            Malicious:false
                            Preview:....3.8..Y.v..sJA{R.Q..........LT./.....K.g..O..O...k..j.....I....................................................................................................................................m....a..V.....d...b~nzS..:w..#.7$.-6...w..!.Q*+....aH.2..F...................................................................................................................................m....a..V.....d...b~nzS..:w..#.7$.-6...w..!.Q*+....aH.2..F................................................................................................................................A}.O.6"x.Y.v..sJA{R.Q.......T..JT./.....K.g..O..O...k..j.....I.................................................................................................................................A}.O.6"x.Y.v..sJA{R.Q.......T..JT./.....K.g..O..O...k..j.....I.................................................................................................................................A}.O.6"x.Y.v..sJA{R.Q.......T..JT./....

                            C:\MSOCache\All Users\{90160000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1061178
                            Entropy (8bit):7.093995271366247
                            Encrypted:false
                            SSDEEP:
                            MD5:61C4047D50B304502F2ACDD1F461AEA5
                            SHA1:52254D0903FDE5DDD733994220EBDE4898A5512D
                            SHA-256:3C8EEB75613DFFC25253EBE2BFE361A4ADDEBD4B860970A1A97280BE77D5F09C
                            SHA-512:F30F5FCFFB9CDC4663BB91BC73D728DD7899713DD599D27958E1E23AD87DB18965EAF2291A0A824D30E847EA6D93F70774B89ED1D99BCF168F6393094CC0538A
                            Malicious:false
                            Preview:....3.8..Y.v..sJA{R.Q..........LT./.....K.g..O..O...k..j.....I....................................................................................................................................m....a..V.....d...b~nzS..:w..#.7$.-6...w..!.Q*+....aH.2..F...................................................................................................................................m....a..V.....d...b~nzS..:w..#.7$.-6...w..!.Q*+....aH.2..F................................................................................................................................A}.O.6"x.Y.v..sJA{R.Q.......T..JT./.....K.g..O..O...k..j.....I.................................................................................................................................A}.O.6"x.Y.v..sJA{R.Q.......T..JT./.....K.g..O..O...k..j.....I.................................................................................................................................A}.O.6"x.Y.v..sJA{R.Q.......T..JT./....

                            C:\MSOCache\All Users\{90160000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1346
                            Entropy (8bit):7.619332914350226
                            Encrypted:false
                            SSDEEP:
                            MD5:9839E29C5EACBB5F3A974C5450D1655C
                            SHA1:E5042139AB7B12E05B97F9761D8DDCEE89600806
                            SHA-256:8F341C2C844071AA256E53F3B7D2F4540918BD5B8CE49D72B702194B5FB26D2D
                            SHA-512:E14193AC1025230377702BF20084838B0B457A3B079CCC57EE8FE19FC99A36F32D4BC02048E5F30360DDFBDF764911D54710B014E321CD2C1EF19204C7AAFDFA
                            Malicious:false
                            Preview:...N.:.q.p.....s+....%.g.PI.A.$..&.$.....q..3y.$z.0./.7b.......VN=.w.w..J..7V.....z-.Z.4.'m..*J.b.\....#['.1Rn#..".*.3Q........ST".2.A..I.$I....@v.s..^.E..qS.a.E....8]r..A;8(..1...........Hj..V.m..Q.<0....$t."..8.|..1..........{y.>V.Dr./58..@........Xy.Z.k..g..(^.....u..9.$_;D..%B...L..1.%Or...i.$..m1..G......C@+.g.(..e..o_....\%.H..30Y..Fi.m.l..5..V...D.5+.!l...A.......at.U.^..r..(~....tq.4.@Uz?..}G.y.K.6.m}'..F.:..+=*.5Y.......G.n.P.;.I.`9....c..@...Yx..>..}.]..<.m.j.D...(..;*.?S........|...(.....m"....=q.9.][Gs._a.:.c....=O-....Fq.Hvj.f........PM(.`.U..O.:~....#c.Y....Z..!.. ....X.sz!..@/.g..e|.5C......GQn.@.j.....e9....,..}...%P.U@.:.B..+..R7..Y1.#.WfS.Y......../F.?.|..].}R.......z....P..}G.y.K..1.?Y ..A1(v.Kk|..X.....(+E.L.m..F..;;...|6.p.$..A..pA.:....[.`z!..@/.y.rQb.5V........q).v.Z..\.1w....u2.).......*..&.$..n.?H-..g8.g..e|.<@.......NN).!.'..!...~.....L...+..A..y..|....?.*c.."P0.).<9*.r........./F...V..A..~....2..d..48[..qE.|.O

                            C:\MSOCache\All Users\{90160000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1346
                            Entropy (8bit):7.619332914350226
                            Encrypted:false
                            SSDEEP:
                            MD5:9839E29C5EACBB5F3A974C5450D1655C
                            SHA1:E5042139AB7B12E05B97F9761D8DDCEE89600806
                            SHA-256:8F341C2C844071AA256E53F3B7D2F4540918BD5B8CE49D72B702194B5FB26D2D
                            SHA-512:E14193AC1025230377702BF20084838B0B457A3B079CCC57EE8FE19FC99A36F32D4BC02048E5F30360DDFBDF764911D54710B014E321CD2C1EF19204C7AAFDFA
                            Malicious:false
                            Preview:...N.:.q.p.....s+....%.g.PI.A.$..&.$.....q..3y.$z.0./.7b.......VN=.w.w..J..7V.....z-.Z.4.'m..*J.b.\....#['.1Rn#..".*.3Q........ST".2.A..I.$I....@v.s..^.E..qS.a.E....8]r..A;8(..1...........Hj..V.m..Q.<0....$t."..8.|..1..........{y.>V.Dr./58..@........Xy.Z.k..g..(^.....u..9.$_;D..%B...L..1.%Or...i.$..m1..G......C@+.g.(..e..o_....\%.H..30Y..Fi.m.l..5..V...D.5+.!l...A.......at.U.^..r..(~....tq.4.@Uz?..}G.y.K.6.m}'..F.:..+=*.5Y.......G.n.P.;.I.`9....c..@...Yx..>..}.]..<.m.j.D...(..;*.?S........|...(.....m"....=q.9.][Gs._a.:.c....=O-....Fq.Hvj.f........PM(.`.U..O.:~....#c.Y....Z..!.. ....X.sz!..@/.g..e|.5C......GQn.@.j.....e9....,..}...%P.U@.:.B..+..R7..Y1.#.WfS.Y......../F.?.|..].}R.......z....P..}G.y.K..1.?Y ..A1(v.Kk|..X.....(+E.L.m..F..;;...|6.p.$..A..pA.:....[.`z!..@/.y.rQb.5V........q).v.Z..\.1w....u2.).......*..&.$..n.?H-..g8.g..e|.<@.......NN).!.'..!...~.....L...+..A..y..|....?.*c.."P0.).<9*.r........./F...V..A..~....2..d..48[..qE.|.O

                            C:\MSOCache\All Users\{90160000-0117-0409-0000-0000000FF1CE}-C\Setup.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2898
                            Entropy (8bit):7.8197384294699575
                            Encrypted:false
                            SSDEEP:
                            MD5:4B18AEC1A03A0F0B310C6AAB6B709D6C
                            SHA1:BA6C4CBC2456023AB1187A3A4613A89B0DCC2A2A
                            SHA-256:EC8620E4ECC125AB9986D05B4BA1A6FD92412C18B8EE04EB41D882D1DA711548
                            SHA-512:964E7BDA48AC1CF60DA92EB47342B920D6723069B5695FD14DA52C0881F772BBA6A999C27E2C661F7C3FA2E54F90DED3972305CF15B9AE6F70809395BE6B531E
                            Malicious:false
                            Preview:9.Ms.....L..+.my~...T.P.M.S..}..*{..fk.`..8.v..K2..za...xv.-x..n..N....<R...C.....pC.].Z.j......4....&..l.bc.}R...6....r..f..*.}x)..Qv...Mz|a..F{.a...T../..;8..4$.<.z.S..<...|.....K`....k.{M(....T..6\.$...]W2@.Z.......q{..T_.K..J.`..H...p....Z.U?..G.P|5....~..na$<2..\R.{.e.I.....{a.5....S.}5.U^..@.....ka..<..f.XdV...Nl..2^'.{..FG...B.N.....8....>....".Y..u".Q7...Hg..!.U.gs....Oz..!y.2;...Y)d.C...a.p..,%.#..7.J3.|...Gq....yh..p..a.zp[....H..!.m.3..BB-f...~..+..)k..7x...... l.....G|....l}..4..k.A.....\...#M:$$..PE...e.^..}..%%.5:.+.p.]m.v........A~.!)..w.\m.....L...E+,5...H.@...0..c..8?.y..W..|.D5.@...D=...Yp.@...d.Yj*......*O.$r..XB._.F.|..:..qt.*w...t.E?.N...[(....h..o..l.Q{.....L..{!EAl..EX.].`....-..95.09....Q.O1.c...H(...Br..o..l.Tr.....L..1.m15...u.@.E.R..;..>".<h....+.#Y.3(..@3.....3.#...V.\r....:Z..0@;.$..T.B..J.Q....-:......a..>.-G..Z=...lu..?..v..<....s5..L..8$.._.)W...^..,..):.09....Q.O1.c...H(...B}..:..w.[j[....^..*[.*#..E.BJ.Z....,.. 9.=#..

                            C:\MSOCache\All Users\{90160000-0117-0409-0000-0000000FF1CE}-C\Setup.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2898
                            Entropy (8bit):7.8197384294699575
                            Encrypted:false
                            SSDEEP:
                            MD5:4B18AEC1A03A0F0B310C6AAB6B709D6C
                            SHA1:BA6C4CBC2456023AB1187A3A4613A89B0DCC2A2A
                            SHA-256:EC8620E4ECC125AB9986D05B4BA1A6FD92412C18B8EE04EB41D882D1DA711548
                            SHA-512:964E7BDA48AC1CF60DA92EB47342B920D6723069B5695FD14DA52C0881F772BBA6A999C27E2C661F7C3FA2E54F90DED3972305CF15B9AE6F70809395BE6B531E
                            Malicious:false
                            Preview:9.Ms.....L..+.my~...T.P.M.S..}..*{..fk.`..8.v..K2..za...xv.-x..n..N....<R...C.....pC.].Z.j......4....&..l.bc.}R...6....r..f..*.}x)..Qv...Mz|a..F{.a...T../..;8..4$.<.z.S..<...|.....K`....k.{M(....T..6\.$...]W2@.Z.......q{..T_.K..J.`..H...p....Z.U?..G.P|5....~..na$<2..\R.{.e.I.....{a.5....S.}5.U^..@.....ka..<..f.XdV...Nl..2^'.{..FG...B.N.....8....>....".Y..u".Q7...Hg..!.U.gs....Oz..!y.2;...Y)d.C...a.p..,%.#..7.J3.|...Gq....yh..p..a.zp[....H..!.m.3..BB-f...~..+..)k..7x...... l.....G|....l}..4..k.A.....\...#M:$$..PE...e.^..}..%%.5:.+.p.]m.v........A~.!)..w.\m.....L...E+,5...H.@...0..c..8?.y..W..|.D5.@...D=...Yp.@...d.Yj*......*O.$r..XB._.F.|..:..qt.*w...t.E?.N...[(....h..o..l.Q{.....L..{!EAl..EX.].`....-..95.09....Q.O1.c...H(...Br..o..l.Tr.....L..1.m15...u.@.E.R..;..>".<h....+.#Y.3(..@3.....3.#...V.\r....:Z..0@;.$..T.B..J.Q....-:......a..>.-G..Z=...lu..?..v..<....s5..L..8$.._.)W...^..,..):.09....Q.O1.c...H(...B}..:..w.[j[....^..*[.*#..E.BJ.Z....,.. 9.=#..

                            C:\MSOCache\All Users\{90160000-0117-0409-0000-0000000FF1CE}-C\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\MSOCache\All Users\{90160000-012B-0409-0000-0000000FF1CE}-C\LyncMUI.cab

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2608920
                            Entropy (8bit):7.999820114378865
                            Encrypted:true
                            SSDEEP:
                            MD5:3503D6E7C793C32075454C2788D8AF18
                            SHA1:44A5BA19440BDE05E60CABA6668BDC93D3C89C94
                            SHA-256:3E86FE0668B29B645166BB1008022866C303C5E0F64CE296929B22B92B3B8C8E
                            SHA-512:0B97B7FEEC7B7095F64FEECBF41918BBDEB285C28FE75C9F1D61757ED4A4C91E1BBB9CF5E8DC30FE66D833187B65323221827B3111E310B16A9540B0962D1035
                            Malicious:true
                            Preview:...,..@..M.ms'..8.2........V_......_..../Gb...`.Koq...S2M~.*p..........................Z........%......2'..............j. ......(.........F.. .LYNC.HXS_1033.."...(.....FdO .LYNC.LYNCDESKT.../....T..!,.....~..T..........@..q.^..f......^A..T.2a3."....FdO .LYNC.OCHELPRESOURCE.DLL_1033......`.....FdO .LYNC.OCPUBRES.DLL_1033......G.....FdO .LYNC.UCADDINRES.DLL_1033.....B.!......%....4..80d....w....S.+.O_A...Wu.._...4........"....a>H..3.....j.7....F.. .LYNC_BASIC_COL.HXC_1033.......7....F.. .LYNC_BASIC_COL.HXT_1033.r..........F.. .LYNC_BASIC_F_COL.HXK_1033.q...KJ.j....~.m?~....s...T..T.R.....*..7.../.....POq.....q.5.bXC_1033............F.. .LYNC_COL.HXT_1033.r..........F.. .LYNC_F_COL.HXK_1033.q..........F.. .LYNC_K_COL.HXK_1033.V'.........F..kJ.3....4..#6...............[]......._.D..p....... =....QJ.*.....).....F.. .LYNC_ONLINE_COL.HXT_1033.r..........F.. .LYNC_ONLINE_F_COL.HXK_1033.q..........F.. .LYNC_ONLINE_K_COL.HXK_1033..K.j..@.z#.ih....b..W..D.Ll.......^.

                            C:\MSOCache\All Users\{90160000-012B-0409-0000-0000000FF1CE}-C\LyncMUI.cab.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2608920
                            Entropy (8bit):7.999820114378865
                            Encrypted:true
                            SSDEEP:
                            MD5:3503D6E7C793C32075454C2788D8AF18
                            SHA1:44A5BA19440BDE05E60CABA6668BDC93D3C89C94
                            SHA-256:3E86FE0668B29B645166BB1008022866C303C5E0F64CE296929B22B92B3B8C8E
                            SHA-512:0B97B7FEEC7B7095F64FEECBF41918BBDEB285C28FE75C9F1D61757ED4A4C91E1BBB9CF5E8DC30FE66D833187B65323221827B3111E310B16A9540B0962D1035
                            Malicious:true
                            Preview:...,..@..M.ms'..8.2........V_......_..../Gb...`.Koq...S2M~.*p..........................Z........%......2'..............j. ......(.........F.. .LYNC.HXS_1033.."...(.....FdO .LYNC.LYNCDESKT.../....T..!,.....~..T..........@..q.^..f......^A..T.2a3."....FdO .LYNC.OCHELPRESOURCE.DLL_1033......`.....FdO .LYNC.OCPUBRES.DLL_1033......G.....FdO .LYNC.UCADDINRES.DLL_1033.....B.!......%....4..80d....w....S.+.O_A...Wu.._...4........"....a>H..3.....j.7....F.. .LYNC_BASIC_COL.HXC_1033.......7....F.. .LYNC_BASIC_COL.HXT_1033.r..........F.. .LYNC_BASIC_F_COL.HXK_1033.q...KJ.j....~.m?~....s...T..T.R.....*..7.../.....POq.....q.5.bXC_1033............F.. .LYNC_COL.HXT_1033.r..........F.. .LYNC_F_COL.HXK_1033.q..........F.. .LYNC_K_COL.HXK_1033.V'.........F..kJ.3....4..#6...............[]......._.D..p....... =....QJ.*.....).....F.. .LYNC_ONLINE_COL.HXT_1033.r..........F.. .LYNC_ONLINE_F_COL.HXK_1033.q..........F.. .LYNC_ONLINE_K_COL.HXK_1033..K.j..@.z#.ih....b..W..D.Ll.......^.

                            C:\MSOCache\All Users\{90160000-012B-0409-0000-0000000FF1CE}-C\LyncMUI.msi

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:OpenPGP Secret Key
                            Category:dropped
                            Size (bytes):2388282
                            Entropy (8bit):7.115726273707792
                            Encrypted:false
                            SSDEEP:
                            MD5:5904284DB89E557F914B7F7C74881BB7
                            SHA1:64EE1383BDEEB223F54B2448BC9F1DDE6A35E423
                            SHA-256:E1266456EF6685A0613AF5A2D2D7118F1D532B45A109CABE5F0786998E4F12DC
                            SHA-512:ECE5FF19EA7FDC040FD8CB4C2EF6E434A6EE68CAC7EE822C0CDF771E3FA092D3621A6536BE3109F3FBF76920DDF0BA74873F1FB245870CD0F17808917D11FD23
                            Malicious:false
                            Preview:..".j..q.n.~..=......=w...r.V..X....N..lx......%.M.G..q....".....................................................................................................................................4.`o.t../.tQ\69L$.H};..VL..J.3.H8...S.go....f.......*.h......................................................................................................................................4.`o.t../.tQ\69L$.H};..VL..J.3.H8...S.go....f.......*.h...................................................................................................................................&3..A...n.~..=......=w...r....^....N..nx....%.M.G..a...."..................................................................................................................................&3..A...n.~..=......=w...r....^....N..nx....%.M.G..a...."..................................................................................................................................&3..A...n.~..=......=w...r....^....N..

                            C:\MSOCache\All Users\{90160000-012B-0409-0000-0000000FF1CE}-C\LyncMUI.msi.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:OpenPGP Secret Key
                            Category:dropped
                            Size (bytes):2388282
                            Entropy (8bit):7.115726273707792
                            Encrypted:false
                            SSDEEP:
                            MD5:5904284DB89E557F914B7F7C74881BB7
                            SHA1:64EE1383BDEEB223F54B2448BC9F1DDE6A35E423
                            SHA-256:E1266456EF6685A0613AF5A2D2D7118F1D532B45A109CABE5F0786998E4F12DC
                            SHA-512:ECE5FF19EA7FDC040FD8CB4C2EF6E434A6EE68CAC7EE822C0CDF771E3FA092D3621A6536BE3109F3FBF76920DDF0BA74873F1FB245870CD0F17808917D11FD23
                            Malicious:false
                            Preview:..".j..q.n.~..=......=w...r.V..X....N..lx......%.M.G..q....".....................................................................................................................................4.`o.t../.tQ\69L$.H};..VL..J.3.H8...S.go....f.......*.h......................................................................................................................................4.`o.t../.tQ\69L$.H};..VL..J.3.H8...S.go....f.......*.h...................................................................................................................................&3..A...n.~..=......=w...r....^....N..nx....%.M.G..a...."..................................................................................................................................&3..A...n.~..=......=w...r....^....N..nx....%.M.G..a...."..................................................................................................................................&3..A...n.~..=......=w...r....^....N..

                            C:\MSOCache\All Users\{90160000-012B-0409-0000-0000000FF1CE}-C\LyncMUI.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1541
                            Entropy (8bit):7.702326622211941
                            Encrypted:false
                            SSDEEP:
                            MD5:13566D32CD75B398BDC8788A0ABD8924
                            SHA1:CB98EAA230F711593F3A5BD3181AF4E8935C2755
                            SHA-256:58266A8CBD2E3424CF1B2095150E6374C65893ADF4C83C06CFB05D8B558AC273
                            SHA-512:9BD42E78A97DFD6E9105A7556891C2E60A134B83F38B6A5A0C81F5384CFA5529EABBDE6BDD11658602FB3AF695346835FEAF6672409EB91B2ED9CD0B9599041E
                            Malicious:false
                            Preview:....9BL..(-&$..[.o^.......t..._a...,.L..0.....f...+H3;.W.f....j..,.h...kpe.........3.....z..k.v..@....H.....x.d."t.l1Z..P._+C.....M...#."..... ...A.........q.U.D.1..J.....P.?.Nmw.~..ge.T.Q.......#>|...>.#1........+N...a.....g..B.....Q.{.z\..vp.k@.b.]...66n....&}......=....W..;..S.d..b.1..z.....F.=.Zm8{(a.pM.].Z...$S...i.<.....{)......-l..%S.U....r.....p...&v"..m.Oz.oT@..3ST..l0"(...2.bM....=...d.....B..s.#..y.u...P...8a.y3G..c.].....@.../,th.....7..9.E..;Q.Wq...".f..r."...\...4.ydw......R....eV..ktyz..E.}N..,.$...io.o)Q..}.{..+.g...e.&4qvfd.KS.N.u.. .]..yuyy..%.,.....Z.......3E...s.3..=.3...J.(.CM.;4Q.JC.rS...u!U..ff}z..A.o@..c.[.. M.\*.../....|.$...G.'.s`b{x9.-..k.X..0\7.g.,+.........-.....L.T-M..s.'..^.$.....u...Ih.D.MX..._..h@}..6!......#.....E..C+...)B..`.x........F..._`}v.Q.QG.@....&@...(0th..W.@t..V....'p...G..S.1..n.9..._...4+~YL=..q.L.L...Xh3..>%=?...<.p\.......=P.U)Q..~.5..^.$.....s.(.J]O..TC.B.k........73(3.....,.....H..@...\-W..w.K

                            C:\MSOCache\All Users\{90160000-012B-0409-0000-0000000FF1CE}-C\LyncMUI.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1541
                            Entropy (8bit):7.702326622211941
                            Encrypted:false
                            SSDEEP:
                            MD5:13566D32CD75B398BDC8788A0ABD8924
                            SHA1:CB98EAA230F711593F3A5BD3181AF4E8935C2755
                            SHA-256:58266A8CBD2E3424CF1B2095150E6374C65893ADF4C83C06CFB05D8B558AC273
                            SHA-512:9BD42E78A97DFD6E9105A7556891C2E60A134B83F38B6A5A0C81F5384CFA5529EABBDE6BDD11658602FB3AF695346835FEAF6672409EB91B2ED9CD0B9599041E
                            Malicious:false
                            Preview:....9BL..(-&$..[.o^.......t..._a...,.L..0.....f...+H3;.W.f....j..,.h...kpe.........3.....z..k.v..@....H.....x.d."t.l1Z..P._+C.....M...#."..... ...A.........q.U.D.1..J.....P.?.Nmw.~..ge.T.Q.......#>|...>.#1........+N...a.....g..B.....Q.{.z\..vp.k@.b.]...66n....&}......=....W..;..S.d..b.1..z.....F.=.Zm8{(a.pM.].Z...$S...i.<.....{)......-l..%S.U....r.....p...&v"..m.Oz.oT@..3ST..l0"(...2.bM....=...d.....B..s.#..y.u...P...8a.y3G..c.].....@.../,th.....7..9.E..;Q.Wq...".f..r."...\...4.ydw......R....eV..ktyz..E.}N..,.$...io.o)Q..}.{..+.g...e.&4qvfd.KS.N.u.. .]..yuyy..%.,.....Z.......3E...s.3..=.3...J.(.CM.;4Q.JC.rS...u!U..ff}z..A.o@..c.[.. M.\*.../....|.$...G.'.s`b{x9.-..k.X..0\7.g.,+.........-.....L.T-M..s.'..^.$.....u...Ih.D.MX..._..h@}..6!......#.....E..C+...)B..`.x........F..._`}v.Q.QG.@....&@...(0th..W.@t..V....'p...G..S.1..n.9..._...4+~YL=..q.L.L...Xh3..>%=?...<.p\.......=P.U)Q..~.5..^.$.....s.(.J]O..TC.B.k........73(3.....,.....H..@...\-W..w.K

                            C:\MSOCache\All Users\{90160000-012B-0409-0000-0000000FF1CE}-C\Setup.xml

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2004
                            Entropy (8bit):7.733912502731248
                            Encrypted:false
                            SSDEEP:
                            MD5:E73CF68CEB987CEAC266493DBF4A7A5B
                            SHA1:6EB64CA7DE9F1E688CCF627223E02D65F98415B9
                            SHA-256:4EFD707E42F8A4AB71981944DA3893901065B3585BAD20AA42FD54D8898A8236
                            SHA-512:780054DB3D8B7B1D419034492524A355D9A9FEEEBE8E41A819DFA391D1CACB3E20CA53F00A5C8D9357C8F137084F6CFCF77462FF3F3961CE4755B8D412D64838
                            Malicious:false
                            Preview:.Y.;...WA...k#p...T.T.D!3.&.$...6.t...;G..e.>.{.y.,....r..U.}Q.....}...X`...|id..<.R.S.....+...g.....T9....4.P.a.@!z.,{...3xB..{..8...E....5Z.....I.V.b.".Q.$-..<.b.}f..?...w.b..#X.u9..{}e..3..`...G....S&(...9.U.Fw....\.!<m.a.5..l....(...U.1*...9..-..f.............5J....0...d.x.9.-.O#c.z.t.]..!." d.[...@.sD..9:Ax.....$...K]...IU......T.i$0...O..1g.=.S.Sx..+.#.....!.n..x...?X{..-M.....Z....qH......}.n==.u.4.{sl.).M.....j..%W.I.T>Z.`_...w.R.....v...E\...'R+...#...d;;.=.|.T.>.9...;G....."[....v..,|....C`../..2...WU...qM&...K.}.D/;.h.p...<.;.Z.S#..j..8..h..*E./|.../_g..&[./....{...`po.......*D^...m...p.(..._ ......Q.M...H.!)...,Lf....."...~\...'>......^.f,$.&.$...#.l.Q.W!..?..=Q.X.....9n..@.Dw..-[./........9Q".....x..l..'.l..?9.)...r(..=...@.X.Die.#j..@.D`../......\G..`mp.....].H9..>.k...5.n.W..@..A..;@.C.Y.M.bG....H...*..%...WU...qM&...K.}.D/;.h.p...<.;.Z.S#..j..8..h..*E./|.../_g..&[.8...zZ...k#p...T.<..G^...m.....<.V.S#..h..*P....%J./y...&H`..}k._...}C...k _...Y.A.N!9.E...&.3.-.].S+

                            C:\MSOCache\All Users\{90160000-012B-0409-0000-0000000FF1CE}-C\Setup.xml.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2004
                            Entropy (8bit):7.733912502731248
                            Encrypted:false
                            SSDEEP:
                            MD5:E73CF68CEB987CEAC266493DBF4A7A5B
                            SHA1:6EB64CA7DE9F1E688CCF627223E02D65F98415B9
                            SHA-256:4EFD707E42F8A4AB71981944DA3893901065B3585BAD20AA42FD54D8898A8236
                            SHA-512:780054DB3D8B7B1D419034492524A355D9A9FEEEBE8E41A819DFA391D1CACB3E20CA53F00A5C8D9357C8F137084F6CFCF77462FF3F3961CE4755B8D412D64838
                            Malicious:false
                            Preview:.Y.;...WA...k#p...T.T.D!3.&.$...6.t...;G..e.>.{.y.,....r..U.}Q.....}...X`...|id..<.R.S.....+...g.....T9....4.P.a.@!z.,{...3xB..{..8...E....5Z.....I.V.b.".Q.$-..<.b.}f..?...w.b..#X.u9..{}e..3..`...G....S&(...9.U.Fw....\.!<m.a.5..l....(...U.1*...9..-..f.............5J....0...d.x.9.-.O#c.z.t.]..!." d.[...@.sD..9:Ax.....$...K]...IU......T.i$0...O..1g.=.S.Sx..+.#.....!.n..x...?X{..-M.....Z....qH......}.n==.u.4.{sl.).M.....j..%W.I.T>Z.`_...w.R.....v...E\...'R+...#...d;;.=.|.T.>.9...;G....."[....v..,|....C`../..2...WU...qM&...K.}.D/;.h.p...<.;.Z.S#..j..8..h..*E./|.../_g..&[./....{...`po.......*D^...m...p.(..._ ......Q.M...H.!)...,Lf....."...~\...'>......^.f,$.&.$...#.l.Q.W!..?..=Q.X.....9n..@.Dw..-[./........9Q".....x..l..'.l..?9.)...r(..=...@.X.Die.#j..@.D`../......\G..`mp.....].H9..>.k...5.n.W..@..A..;@.C.Y.M.bG....H...*..%...WU...qM&...K.}.D/;.h.p...<.;.Z.S#..j..8..h..*E./|.../_g..&[.8...zZ...k#p...T.<..G^...m.....<.V.S#..h..*P....%J./y...&H`..}k._...}C...k _...Y.A.N!9.E...&.3.-.].S+

                            C:\MSOCache\All Users\{90160000-012B-0409-0000-0000000FF1CE}-C\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\MSOCache\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\PerfLogs\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files (x86)\Adobe\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files (x86)\AutoIt3\Au3Check.dat

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):13245
                            Entropy (8bit):6.824068731526311
                            Encrypted:false
                            SSDEEP:
                            MD5:475E3F2C4270670D6E4A33C68B8050EC
                            SHA1:F4997AB3E649067C0CC7CA938F9C19C54A3D75E2
                            SHA-256:6AB4829BDBA5D6244F80E9B4752AEF7B7D5149CF978C28D31137F044BCE45B4A
                            SHA-512:329E126235075300A6ED6698329CF4A79206242B60037502D73FCE1F12581EE3C8A3214DF7F1E034D726DF7E51947EA97B180AAF3F0248793ACAB3377A22851D
                            Malicious:false
                            Preview:4.............&.....$5..>....64.K|.>......L|.Q=.n.o....4..5Ae @AutoItPID @AutoItVersion @AutoItX64 @COM_EventObj @CommonFilesDir @Compiled @ComputerName ..@ComSpec @CPUArch @CR @CRLF @Deskd..(..........;...YK.........+0OaZ:5..6..Lp.L;.s...'../.."\fresh @DesktopWidth ..@DocumentsCommonDir @error @exitCode @exitMethod @extended @FavoritesCommonDir @FavoritesDir @GUI_CtrlHand|..+...... .....Ny.n..%. .+ba..8.....ug.W3.N.o........qandle @HomeDrive @HomePath @HomeShare @HotKeyPressed @HOUR @IPAddress1 @IPAddress2 ..@IPAddress3 @IPAddress4 @KBLayout @LF @Loca|...........'.....D^..........Kr..Q.2..Rk.W*.u......{..9w ..@MON @MSEC @MUILang @MyDocumentsDir @NumParams @OSArch @OSBuild @OSLang @OSServicePack @OSType ..@OSVersion @ProgramFilesDir P...........$!.....NM....E.&8.Oc.>......NQ.Q..k...6......PptLineNumber @ScriptName @SEC @StartMenuCommonDir ..@StartMenuDir @StartupCommonDir @StartupDir @SW_DISABLE @SW_ENABLE @SW_HIDE P..4........8......zh.....,.0{4uD%(

                            C:\Program Files (x86)\AutoIt3\Au3Check.exe

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):197618
                            Entropy (8bit):6.982478601450315
                            Encrypted:false
                            SSDEEP:
                            MD5:73FA92C415B7A7C0C6BCD801051D63B9
                            SHA1:E183486B061463E97AD17F4E811EC412D9AB2E83
                            SHA-256:F5B4BD500C2098D26BE6257C8C4FBEB01983EDB7BC29F37104769246BEDD0F2C
                            SHA-512:71A4A2EEBC8877E3A0C3D78E8835D4B78FA82FC0636A2429CF94F7C9FE59E491DE40B128BFAB2D53A11BB3C7EAE6409FF2C8961343101F5A88CC6AF1B4B1C7F2
                            Malicious:true
                            Preview:_.C..}.T....2..).3q.A.J......X.R..~.......#m$)..,$6x.$...u..d..........!..L.!This program cannot be run in DOS mode....$........;...Z.H.Z.H.Z.H...H.Z.H..#H.Z.H.."H.Z.H."PH.Z.H.Z.H.Z.H).&H.Z.H.....'k.s...PZ.a..l...S.`.xK...R..~.......#m$)..i$64. ....F1d...................F....................@.................................v...........................................<...............}.T."..u..)/3q.A.J._....X.R..~.......#m$)..,$6x.$..Iw.qd...........................................text............................... ..`.rdata..Z).......*..................@..@.data.........T.......)/3q.A.J._.....Xv|.......[..#m$9..*$6x.&...u.1d......@..@............................................................................................................................}.T.......)/3q.A.J._....X.R..~.......#m$)..,$6x.$...u.1d......................................................................................................................................}.T.......)/3q.A.J._....X.R..~....

                            C:\Program Files (x86)\AutoIt3\Au3Info.exe

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):156650
                            Entropy (8bit):7.150984936314088
                            Encrypted:false
                            SSDEEP:
                            MD5:783A439474E85C3678B8B7869C84BCD4
                            SHA1:066F9EDC93C0382633A420345B4A0FE237DE9700
                            SHA-256:BA35B4FD492E307892BFC04589F69C557E689E2DF5C5C69409CE63CAD2C201B3
                            SHA-512:C295E1FA70EF92B08AFD080CA8B22AE6B6E6FE1CF318351206777720F0F2911193FC1CC11368E06D90C0D83DB25D315226DA2D01BF4C5B4F7A58C273E1663F44
                            Malicious:true
                            Preview:..,+v..vdn.>H....r_.@5...@b....d.....([|.....*k.......+.E.t........!..L.!This program cannot be run in DOS mode....$........U2s.4\ .4\ .4\ .f. .4\ .f. .4\ .f. .4\ .L. .4\ .4] m4\ w.. .4\ ..;....V.Z..tI.M...rti....V.?..d.....([|.....z.......R.q/E.t......"..........(.......c............@..........................`.......M....@..................................f..............T..+u..v`(.>.a..:2P.U5....@b....d.....([|.....*k........+oE.t.........................................text...G........................... ..`.rdata...d.......f..................@..@.data....\.+u;.v`|.>....:r_.@5.....b...d......(.|.....*.........+/E.t....@..@.reloc.......@.......0..............@..B................................................................................T..+u..v`n.>.}..:r_.@5....@b....d.....([|.....*k.......+/E.t................................................................................................................................T..+u..v`n.>.}..:r_.@5....@b....d.....

                            C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):176618
                            Entropy (8bit):7.0056473512121284
                            Encrypted:false
                            SSDEEP:
                            MD5:B41F64E84D3807CE1A3A415E53783790
                            SHA1:46BE553C920E4FF831F0102AF6D6F4EB0271CBD7
                            SHA-256:4D7D919E193084273968E1C9779A0370B5806F53319E5B57EF74FA9733C78BCA
                            SHA-512:CD70F0D881CD5442432DB7F5D2DE42CCD674156CD388D6CE91B2AEB84E0E83FDF89EA39EF66418210665B2E2E909F7B81D74A412B5D6DDC4AE4908A73EE3CE0D
                            Malicious:true
                            Preview:.....n..............J\.!=vq.....x..j&.W.r....D.7.Uh....?........!..L.!This program cannot be run in DOS mode....$.................f......g.....X..........._...^.b.....yU...z.e.?..~...Js+.$..)4..q.....x./&.3~t.T.^..D.7.Uh...<?.........\......|y.........@..........................................`...........................................................+..0n.."...[..LH.)....7E\.'=vq.....x..j&.W.r....D.7.Uh.=..?....p............0..@............................text............................... ..`.rdata.......0....... ..............@..@.D.n.........L......J\.!=vq....x...B.#.r......7.[h.=..?............@..@.rsrc...............................@..@.reloc..............................@..B..................................%..n.....W..L......J\.!=vq.....x..j&.W.r....D.7.Uh.=..?..................................................................................................................................%..n.....W..L......J\.!=vq.....x.

                            C:\Program Files (x86)\AutoIt3\AutoIt v3 Website.url

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):518
                            Entropy (8bit):6.8267131934260314
                            Encrypted:false
                            SSDEEP:
                            MD5:3022498E63880205737509B4F1606A5D
                            SHA1:FD9C17DB4901D85EF21639877200E88DE8F00827
                            SHA-256:E657C181B9E1220CD5F84860314584F5E0A033FB0F067DF784F54E81970EDCDF
                            SHA-512:433D982D5E8049DBFBE49D6F885B252CDF63380F43A0657A145EAF4C0A9BF67D34794A790FE27AC33601359FA58A9499D115EB0FDBD7FEC4C08DD051ACD372CD
                            Malicious:false
                            Preview:X....}Ma...,1..O6.L.5.....m......Me..m.4..h.......A.4... R.J..M..8lLj...c-..KQ i.......>.I.....r..6.6..{..^..U.".2.1:Y.F.2J..5CJw....*..^.2v.m....f.{......<..).z.@(..@.\....a..Lb@.3.Prop3=19,2.......CUtx...t.)x......d..yc|..XR.........V...Y~.?+B.,sU..C,.JtAPe.4.....&=...,!..`<.Hpg....7.]xA...;,.T'Tm..}...v..K..ZK....*J....;L.mu..s".+....7..1.......B\./....y..T.P..S$....{..}..}....E..,,....R.............................................................................................vux2f891j9j.

                            C:\Program Files (x86)\AutoIt3\AutoIt.chm

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):7005763
                            Entropy (8bit):7.994917471016802
                            Encrypted:true
                            SSDEEP:
                            MD5:9B8913E67808E76689099FE5F9A9BAFC
                            SHA1:782330A6AEA69B28AD69304A6B0966BD1002DFF7
                            SHA-256:B718A42EBB2139262D2DAF4FDEFB0893026FF2FF7F56C58FD688CE7852A1D539
                            SHA-512:FEE4174A3BBF36E081EFF625F3A777BFD79B241E9749FE5C81BE09983463D3B79F169C66E5615E09D2F9AA6669D86C3531154E916CE2BF511BF1335C7DCDCA31
                            Malicious:true
                            Preview:..Ito2(-..a..Z1...k8.....s^.s..L.....(y...1....Ty......}.........x.......T`.......`................j.............ITSP....T...................5.......4.......6.......j..].!......."..T...XR.....Xt.....qP..b0....%....Io.xM(..p.......Q...Sf...C..}.../#IVB....>../#STRINGS...h..3./#SYSTEM..V.E./#TOPICS...X..P./#URLSTR...P..../#URLTBL...(..(./#WINDOWS....r.L./$FIftiMain...|....9!...J+...#.&P.....X...+)~.$VBnP....k.....:Z..h....Links/Property......./$WWKeywordLinks/..../$WWKeywordLinks/BTree....J..L./$WWKeywordLinks/Data.......^./$WWKeywordLinks/Map....t....He.f......3L;r.2Bo....v.r.)F`.W.USMp..........Z.#..i..R.utoIt3 TOC.hhc...d..]./html/..../html/appendix/..../html/appendix/AppendixRef.htm....`.+./html/appendix/ascii.htm......I"/html/..jW.VAU..}....M>r..^t...b.hH9C..`bHSOU...........( M.u..~.kH.9./html/appendix/fonts.htm....M././html/appendix/GuiStyles.htm......+!/html/appendix/LimitsDefaults.htm....$.[./html/appendix..I~.\On..m...7#..;N.....{....80z.)I_.

                            C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):119266
                            Entropy (8bit):6.790182260164097
                            Encrypted:false
                            SSDEEP:
                            MD5:83F75BFAD2DE317DA9D46745B61D8F61
                            SHA1:DD4A9D8F2E1EFB19CC4182EF7E9A97D3FE9CCEFD
                            SHA-256:B080B880624C87600B6EACF0ACA8D1E0670B3F55FB03A3E87B08D801E6902898
                            SHA-512:7A43F0104362BDDBD0396C79146D84A36C7CB4B82C65EBF3062DD4DF956281A069EC3D3AA7FB6B6A5B8C36FA5AD8CD0830FBED4BA3A08C007A045F45D27E6274
                            Malicious:true
                            Preview:=.~.'.X.....'.....\.aa..YXZ\hC.\.h..mN..B...E...(h......(}..........!..L.!This program cannot be run in DOS mode....$...........c...c...c...1I..c...1w..c...1H.c....;..c...c..c....,..c.....p....>...{Yc........./..?.._5..=....B...E..($....gK..}..........................k!............@.......................................@.................................|...d....p......p^.$.X..@..p........aa..YXZ\hC.\.h..mN..B...E...(h......}..............p............................text............................... ..`.rdata...R.......T..................@..@.data....l.$.Y............\.aa..YX.\h.#.....mN%.B...E.p.(h.......}......@..@.reloc..............................@..B................................................................................p^.$.X............\.aa..YXZ\hC.\.h..mN..B...E...(h.......}..................................................................................................................................p^.$.X............\.aa..YXZ\hC.\.h..mN

                            C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:OpenPGP Secret Key
                            Category:dropped
                            Size (bytes):1014242
                            Entropy (8bit):7.108156503370207
                            Encrypted:false
                            SSDEEP:
                            MD5:2541AA02945282D06393FE899834B3AC
                            SHA1:861EF1B0585D3E9E18CC73AE494D62B8AFE82616
                            SHA-256:9BC7B7E27606CC110A1B73D219DE2D0F60CE1A4131B3FF3EF5F1B25CD55D9C5E
                            SHA-512:42DADB473561575AE9D12AF47960C7472296B26EE75BBD82F5ABC3F77B22EF126237110BA1524B5D0CAAF3B32EC3DF42DDE19E7EB614B5D6788427FE32308A87
                            Malicious:true
                            Preview:...."tG..x..[.:qd.u...ltU.......ge.Ct....w...H.7.u.g..............!..L.!This program cannot be run in DOS mode....$.......v.Th2.:;2.:;2.:;.b.;3.:;t..;..:;t..;+.:;t..;..:;;..;:.:;;..;3.:;.%...o.Oq23C....d..J.RO!a.Of?..<6Q.._.q.$.#WM6......O.....9F..........................PE..d....q.Z.........."............................@.........................................`...@..........."tC.Hx.D....:qd.u..ltE.......ge....o.w...G.g.u.......\..............`...............................P...p............... ............................text...............................".m.l.f%....9qd ...otUe......ge.Ct..S.wM).).V.u....T...^..................@....pdata...i.......j..................@..@.rsrc...P............x..............@..@.reloc...............P........"tC..xRD....:qd.u..ltU.......ge.Ct....w...H.7.u.g............................................................................................................................................"tC..x.D....:qd.u..ltU.......ge.

                            C:\Program Files (x86)\AutoIt3\Uninstall.exe

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:COM executable for DOS
                            Category:dropped
                            Size (bytes):67745
                            Entropy (8bit):7.323786882465793
                            Encrypted:false
                            SSDEEP:
                            MD5:BEE02EEEF278DA741E6261FD9B194D8A
                            SHA1:576AC2027BA31F90D8B4DA934086AB2F4BB0A00F
                            SHA-256:430FB0E106619C2C92457AC93E3708D46FDDD51BC098FF9C61338B1EDE497B97
                            SHA-512:276B897FD52569B0B3D576556C98A476E5F35D321595F44C8FB1E2B45F5D095A564C26A458B6BC3B61EFAD1876809C21166B62258DBA69B0956D10B2CFA869B1
                            Malicious:true
                            Preview:..jI...0..^.S.7g..:.Y...1J/8.....U.l...^.%!?L.i..pY=A..L.....~........!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.*^...QF..QG.qQF.*^...QF.rv..QF..W@..QF.Rich.QF....I..0.L^...2g^..Y....1J/......S.l...^s$!?H.i..pY=Q..L..2..~.........................`.......%.......................................t..........0N.............................................I..0..^...7g7.:.Y....1J/8....U.....^.%!?L.i..pY=A..L..2..~.text...t\.......^.................. ..`.rdata.......p.......b..............@..@.data...X............t..............@....ndata...x.I...0..^...7g7.:.Y....1J/...8.&.....n.%!?\.i..pY=;..L..2..~....@..@...........................................................................................................................I..0..^...7g7.:.Y....1J/8.....U.l...^.%!?L.i..pY=A..L..2..~...................................................................................................................................I..0..^...7g7.:.Y....1J/8.....U.l...

                            C:\Program Files (x86)\AutoIt3\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files (x86)\Common Files\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files (x86)\Google\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files (x86)\Internet Explorer\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files (x86)\Java\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files (x86)\MSBuild\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files (x86)\Microsoft Analysis Services\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106816.WMF

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):3646
                            Entropy (8bit):7.677697596129156
                            Encrypted:false
                            SSDEEP:
                            MD5:0A616E39EA7165B7A89DA6DCF72630D1
                            SHA1:3273178F24D786FDAB1784F75DCC612038A22DB7
                            SHA-256:1636F02697D4A9819D28C4B89B6A283A8E07BCAEC0E8633BD03C949CE2778A41
                            SHA-512:AC6F6DDE268D2576FA486249F8A63422714D45EE68F41607153C242324BDFEFBDD1B04BEEE560B616600D0DE5A2760BEC59F7F001541F4F63F051526049918A6
                            Malicious:false
                            Preview:..QE.!...?./=5....._(...Vx>9..Z...e.s|..".=+wu.{.{....$9+.R.......!.....+5......*s...V.?N..Z..a`.sx.."$<(vz.~...C1.9..V......!."....5......4s...Vy?..^Z..a`.rq..".=.tm.y.{....$9..U......!.....+5......4s...Vx=N..Z..a`#r~..".=.t|.~.{...$9..Q....m..!.....+5....:.0s...V|<C..Z...b.s|.."...vy.~.V...$9.R......!.!.../5......Bv...U.?...Z..9`.q..R e=.t......).>.;..$.4.W.6.U.....q.7(.k....q..XT-<...[..a.q... .<.t.......-.4:..@.....).......@.06&.....p...Up?...XU.lbmpq..!.?Tux...z.6.A.:...J.o.d.w...X..6,.K...p...R~?W..X).kb6ws..&.?mrP.0.B....A=l.#.......N.b.....1..8.A..w..R.?...X~..byw...&b?Ar..".......{=V.7.........p.&.1J.,...Cw'..R.?,..X[..bCw..&.?.r.O.......=..N.y...D......F..6#.T...}p[..U.?w..X5..b8p..!r?.u..A.*......:..j........%....6....E./p..U.?@..X...b.p...!.?.t....P....;........R.u...g.7..$..FqA..T.?6._X...b.q..o .?.t|...x......;)....... ./.....+6......,p...Um>u.UXJ..b.pr..&.>7rt.L.}....q=.4.I...x.A....H.1......w@.JR.?..`X...b.v.

                            C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107024.WMF

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):3334
                            Entropy (8bit):7.742288302901985
                            Encrypted:false
                            SSDEEP:
                            MD5:892C073AC538A612134B2CA57843FCAB
                            SHA1:52EF59D741E6A438AC2E8B1502C2B4E0AD475C26
                            SHA-256:FA880F3AD0CACD55EFBB603BE3C10947ADD589D493F014B6443BE355FA5F31C6
                            SHA-512:3EC3AF18296EE4599B912B683F56B339F2CCD63CED988255D9664F28E5E0C04D237FA32E7CFACD0487C6E921128A2730C90D4243BBDE030FA1D5F669861149C1
                            Malicious:false
                            Preview:s..>i......w{5Y.e..Gx&...p.....^iP.|B"C.F.........SF.&.&$...00..=i.......|.Z.e...,/.../X...Wi..|B&C.F......7..Q.Q..& ....6 .:i.......|.Z.g...,"...q/....Si..xC/C.F.. .......Q..&.&#..;.NRw[........|.Z.e...,'...p-X...Si..QC C.F..'.......QB.&.''....7..>i.......|.Z.e...,#...t,U...Wip.yB"C.F1-$.......QA.&.g$$....7!.:i.......|.Z.d..(('.#../.....l..+GBC.C......._.T...:&.....2..&l%...a..ynZ.a`.)..m.C,.....m...GKB.C..S.......U..c.S$w....3..@m..l..^x.X.a...):.+.s/.....l\..G.B?Cr......w..W....$<.L.]2[..l..]...y)X[`...)....$......m...F.@.BQ......b.8T.].^$....1...o....5..{.Y.c...*......Y.s.]n..hE.@.AM........V2....%..a..0w.tn....{.Ycb..+..{.H......n...E.@zA..u.[.m...QV.....%.^.w0K..n../.Q.>{RY.b..'+........N..nK..E.@hA..v...y...uV....G%....'0..EnR.....{.YhbX.+..K....A.nn .LE.@.AW.....U..V...8%...V1..tn......hz.Y\c9.8*w.|..)..F..mH..F.@.B..2.......T..m.m%W...92<..l......z.^0c..*..r.).....o...D.F.@...*......Wl...#...."2".fly......x.^.a<._(.....)4....m.F{F

                            C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107042.WMF

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):9362
                            Entropy (8bit):6.8283755795898955
                            Encrypted:false
                            SSDEEP:
                            MD5:8C329C7E54EE372072109E1A06C80F54
                            SHA1:AC5568EDD2FA5EB6CEFA67B9E60FF481021C6C4C
                            SHA-256:C522820702C481DBC36D648505298836D06C488CE1A00ADECBC2DF1436073F60
                            SHA-512:40EC838E5E4B6CD5C5785C8245F7440789C15C77B1F8AD941337E8563D901876743C0FA0781EE6ACFD0D54D88A16EE64DCA0AB16811134F8F538B6315EE75E56
                            Malicious:false
                            Preview:..,)6+.'@........b.Rh.......k...A.T.Z....F.Ein..uH=.....5C^.o?...........................................-.....................-..............................................................".1..SF.'@.p...3...b.~<......Sz...A.P.[,...F.jg..uH=....5k_.o;...................-...............................-.....................-...............$.F.T.......R...T...Y...b.".o.&.~.(...(..N..-."..k.T.....I..:&.....|K..G.UY\T.\...Oo...r.8._..2.[Rh.e...|.......................r...c...R.$.?.+.+.3...=...H...T...a...p.............................y...i...W...C...-................Md...a!........W....9...=...j.rD.V._....R.~m..Qp.9.....4@^.o3.-.......-.....................-...........,...$...................................................4...L...a.!.s.)...1...9...B....JZ.f)O$.......... >..U.a..x..AC&S.X.....pjn.*w[9....7mZ.m....D...P...\...h...s.......................................................................z...z...~.....s...`...L...8...!........H\..+3#....a..+....<......S{...A.UzZ1.

                            C:\Program Files (x86)\Microsoft Office\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files (x86)\Microsoft SQL Server\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files (x86)\Microsoft.NET\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files (x86)\Mozilla Firefox\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files (x86)\Reference Assemblies\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files (x86)\Windows Defender\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files (x86)\Windows Mail\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files (x86)\Windows Media Player\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files (x86)\Windows Multimedia Platform\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files (x86)\Windows Photo Viewer\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files (x86)\Windows Portable Devices\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files (x86)\WindowsPowerShell\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files (x86)\ZVGTehONYOFIOHEumRSBVkpDOAdmdwUOdLWTBFlImvuycSXfebOKqkiHgvcAaIkSkY\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files (x86)\autoit3\Au3Check.dat.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):13245
                            Entropy (8bit):6.824068731526311
                            Encrypted:false
                            SSDEEP:
                            MD5:475E3F2C4270670D6E4A33C68B8050EC
                            SHA1:F4997AB3E649067C0CC7CA938F9C19C54A3D75E2
                            SHA-256:6AB4829BDBA5D6244F80E9B4752AEF7B7D5149CF978C28D31137F044BCE45B4A
                            SHA-512:329E126235075300A6ED6698329CF4A79206242B60037502D73FCE1F12581EE3C8A3214DF7F1E034D726DF7E51947EA97B180AAF3F0248793ACAB3377A22851D
                            Malicious:false
                            Preview:4.............&.....$5..>....64.K|.>......L|.Q=.n.o....4..5Ae @AutoItPID @AutoItVersion @AutoItX64 @COM_EventObj @CommonFilesDir @Compiled @ComputerName ..@ComSpec @CPUArch @CR @CRLF @Deskd..(..........;...YK.........+0OaZ:5..6..Lp.L;.s...'../.."\fresh @DesktopWidth ..@DocumentsCommonDir @error @exitCode @exitMethod @extended @FavoritesCommonDir @FavoritesDir @GUI_CtrlHand|..+...... .....Ny.n..%. .+ba..8.....ug.W3.N.o........qandle @HomeDrive @HomePath @HomeShare @HotKeyPressed @HOUR @IPAddress1 @IPAddress2 ..@IPAddress3 @IPAddress4 @KBLayout @LF @Loca|...........'.....D^..........Kr..Q.2..Rk.W*.u......{..9w ..@MON @MSEC @MUILang @MyDocumentsDir @NumParams @OSArch @OSBuild @OSLang @OSServicePack @OSType ..@OSVersion @ProgramFilesDir P...........$!.....NM....E.&8.Oc.>......NQ.Q..k...6......PptLineNumber @ScriptName @SEC @StartMenuCommonDir ..@StartMenuDir @StartupCommonDir @StartupDir @SW_DISABLE @SW_ENABLE @SW_HIDE P..4........8......zh.....,.0{4uD%(

                            C:\Program Files (x86)\autoit3\Au3Check.exe.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):197618
                            Entropy (8bit):6.982478601450315
                            Encrypted:false
                            SSDEEP:
                            MD5:73FA92C415B7A7C0C6BCD801051D63B9
                            SHA1:E183486B061463E97AD17F4E811EC412D9AB2E83
                            SHA-256:F5B4BD500C2098D26BE6257C8C4FBEB01983EDB7BC29F37104769246BEDD0F2C
                            SHA-512:71A4A2EEBC8877E3A0C3D78E8835D4B78FA82FC0636A2429CF94F7C9FE59E491DE40B128BFAB2D53A11BB3C7EAE6409FF2C8961343101F5A88CC6AF1B4B1C7F2
                            Malicious:false
                            Preview:_.C..}.T....2..).3q.A.J......X.R..~.......#m$)..,$6x.$...u..d..........!..L.!This program cannot be run in DOS mode....$........;...Z.H.Z.H.Z.H...H.Z.H..#H.Z.H.."H.Z.H."PH.Z.H.Z.H.Z.H).&H.Z.H.....'k.s...PZ.a..l...S.`.xK...R..~.......#m$)..i$64. ....F1d...................F....................@.................................v...........................................<...............}.T."..u..)/3q.A.J._....X.R..~.......#m$)..,$6x.$..Iw.qd...........................................text............................... ..`.rdata..Z).......*..................@..@.data.........T.......)/3q.A.J._.....Xv|.......[..#m$9..*$6x.&...u.1d......@..@............................................................................................................................}.T.......)/3q.A.J._....X.R..~.......#m$)..,$6x.$...u.1d......................................................................................................................................}.T.......)/3q.A.J._....X.R..~....

                            C:\Program Files (x86)\autoit3\Au3Info.exe.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):156650
                            Entropy (8bit):7.150984936314088
                            Encrypted:false
                            SSDEEP:
                            MD5:783A439474E85C3678B8B7869C84BCD4
                            SHA1:066F9EDC93C0382633A420345B4A0FE237DE9700
                            SHA-256:BA35B4FD492E307892BFC04589F69C557E689E2DF5C5C69409CE63CAD2C201B3
                            SHA-512:C295E1FA70EF92B08AFD080CA8B22AE6B6E6FE1CF318351206777720F0F2911193FC1CC11368E06D90C0D83DB25D315226DA2D01BF4C5B4F7A58C273E1663F44
                            Malicious:false
                            Preview:..,+v..vdn.>H....r_.@5...@b....d.....([|.....*k.......+.E.t........!..L.!This program cannot be run in DOS mode....$........U2s.4\ .4\ .4\ .f. .4\ .f. .4\ .f. .4\ .L. .4\ .4] m4\ w.. .4\ ..;....V.Z..tI.M...rti....V.?..d.....([|.....z.......R.q/E.t......"..........(.......c............@..........................`.......M....@..................................f..............T..+u..v`(.>.a..:2P.U5....@b....d.....([|.....*k........+oE.t.........................................text...G........................... ..`.rdata...d.......f..................@..@.data....\.+u;.v`|.>....:r_.@5.....b...d......(.|.....*.........+/E.t....@..@.reloc.......@.......0..............@..B................................................................................T..+u..v`n.>.}..:r_.@5....@b....d.....([|.....*k.......+/E.t................................................................................................................................T..+u..v`n.>.}..:r_.@5....@b....d.....

                            C:\Program Files (x86)\autoit3\Au3Info_x64.exe.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):176618
                            Entropy (8bit):7.0056473512121284
                            Encrypted:false
                            SSDEEP:
                            MD5:B41F64E84D3807CE1A3A415E53783790
                            SHA1:46BE553C920E4FF831F0102AF6D6F4EB0271CBD7
                            SHA-256:4D7D919E193084273968E1C9779A0370B5806F53319E5B57EF74FA9733C78BCA
                            SHA-512:CD70F0D881CD5442432DB7F5D2DE42CCD674156CD388D6CE91B2AEB84E0E83FDF89EA39EF66418210665B2E2E909F7B81D74A412B5D6DDC4AE4908A73EE3CE0D
                            Malicious:false
                            Preview:.....n..............J\.!=vq.....x..j&.W.r....D.7.Uh....?........!..L.!This program cannot be run in DOS mode....$.................f......g.....X..........._...^.b.....yU...z.e.?..~...Js+.$..)4..q.....x./&.3~t.T.^..D.7.Uh...<?.........\......|y.........@..........................................`...........................................................+..0n.."...[..LH.)....7E\.'=vq.....x..j&.W.r....D.7.Uh.=..?....p............0..@............................text............................... ..`.rdata.......0....... ..............@..@.D.n.........L......J\.!=vq....x...B.#.r......7.[h.=..?............@..@.rsrc...............................@..@.reloc..............................@..B..................................%..n.....W..L......J\.!=vq.....x..j&.W.r....D.7.Uh.=..?..................................................................................................................................%..n.....W..L......J\.!=vq.....x.

                            C:\Program Files (x86)\autoit3\AutoIt v3 Website.url.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):518
                            Entropy (8bit):6.8267131934260314
                            Encrypted:false
                            SSDEEP:
                            MD5:3022498E63880205737509B4F1606A5D
                            SHA1:FD9C17DB4901D85EF21639877200E88DE8F00827
                            SHA-256:E657C181B9E1220CD5F84860314584F5E0A033FB0F067DF784F54E81970EDCDF
                            SHA-512:433D982D5E8049DBFBE49D6F885B252CDF63380F43A0657A145EAF4C0A9BF67D34794A790FE27AC33601359FA58A9499D115EB0FDBD7FEC4C08DD051ACD372CD
                            Malicious:false
                            Preview:X....}Ma...,1..O6.L.5.....m......Me..m.4..h.......A.4... R.J..M..8lLj...c-..KQ i.......>.I.....r..6.6..{..^..U.".2.1:Y.F.2J..5CJw....*..^.2v.m....f.{......<..).z.@(..@.\....a..Lb@.3.Prop3=19,2.......CUtx...t.)x......d..yc|..XR.........V...Y~.?+B.,sU..C,.JtAPe.4.....&=...,!..`<.Hpg....7.]xA...;,.T'Tm..}...v..K..ZK....*J....;L.mu..s".+....7..1.......B\./....y..T.P..S$....{..}..}....E..,,....R.............................................................................................vux2f891j9j.

                            C:\Program Files (x86)\autoit3\AutoIt.chm.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):7005763
                            Entropy (8bit):7.994917471016802
                            Encrypted:true
                            SSDEEP:
                            MD5:9B8913E67808E76689099FE5F9A9BAFC
                            SHA1:782330A6AEA69B28AD69304A6B0966BD1002DFF7
                            SHA-256:B718A42EBB2139262D2DAF4FDEFB0893026FF2FF7F56C58FD688CE7852A1D539
                            SHA-512:FEE4174A3BBF36E081EFF625F3A777BFD79B241E9749FE5C81BE09983463D3B79F169C66E5615E09D2F9AA6669D86C3531154E916CE2BF511BF1335C7DCDCA31
                            Malicious:true
                            Preview:..Ito2(-..a..Z1...k8.....s^.s..L.....(y...1....Ty......}.........x.......T`.......`................j.............ITSP....T...................5.......4.......6.......j..].!......."..T...XR.....Xt.....qP..b0....%....Io.xM(..p.......Q...Sf...C..}.../#IVB....>../#STRINGS...h..3./#SYSTEM..V.E./#TOPICS...X..P./#URLSTR...P..../#URLTBL...(..(./#WINDOWS....r.L./$FIftiMain...|....9!...J+...#.&P.....X...+)~.$VBnP....k.....:Z..h....Links/Property......./$WWKeywordLinks/..../$WWKeywordLinks/BTree....J..L./$WWKeywordLinks/Data.......^./$WWKeywordLinks/Map....t....He.f......3L;r.2Bo....v.r.)F`.W.USMp..........Z.#..i..R.utoIt3 TOC.hhc...d..]./html/..../html/appendix/..../html/appendix/AppendixRef.htm....`.+./html/appendix/ascii.htm......I"/html/..jW.VAU..}....M>r..^t...b.hH9C..`bHSOU...........( M.u..~.kH.9./html/appendix/fonts.htm....M././html/appendix/GuiStyles.htm......+!/html/appendix/LimitsDefaults.htm....$.[./html/appendix..I~.\On..m...7#..;N.....{....80z.)I_.

                            C:\Program Files (x86)\autoit3\AutoIt3Help.exe.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):119266
                            Entropy (8bit):6.790182260164097
                            Encrypted:false
                            SSDEEP:
                            MD5:83F75BFAD2DE317DA9D46745B61D8F61
                            SHA1:DD4A9D8F2E1EFB19CC4182EF7E9A97D3FE9CCEFD
                            SHA-256:B080B880624C87600B6EACF0ACA8D1E0670B3F55FB03A3E87B08D801E6902898
                            SHA-512:7A43F0104362BDDBD0396C79146D84A36C7CB4B82C65EBF3062DD4DF956281A069EC3D3AA7FB6B6A5B8C36FA5AD8CD0830FBED4BA3A08C007A045F45D27E6274
                            Malicious:false
                            Preview:=.~.'.X.....'.....\.aa..YXZ\hC.\.h..mN..B...E...(h......(}..........!..L.!This program cannot be run in DOS mode....$...........c...c...c...1I..c...1w..c...1H.c....;..c...c..c....,..c.....p....>...{Yc........./..?.._5..=....B...E..($....gK..}..........................k!............@.......................................@.................................|...d....p......p^.$.X..@..p........aa..YXZ\hC.\.h..mN..B...E...(h......}..............p............................text............................... ..`.rdata...R.......T..................@..@.data....l.$.Y............\.aa..YX.\h.#.....mN%.B...E.p.(h.......}......@..@.reloc..............................@..B................................................................................p^.$.X............\.aa..YXZ\hC.\.h..mN..B...E...(h.......}..................................................................................................................................p^.$.X............\.aa..YXZ\hC.\.h..mN

                            C:\Program Files (x86)\autoit3\AutoIt3_x64.exe.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:OpenPGP Secret Key
                            Category:dropped
                            Size (bytes):1014242
                            Entropy (8bit):7.108156503370207
                            Encrypted:false
                            SSDEEP:
                            MD5:2541AA02945282D06393FE899834B3AC
                            SHA1:861EF1B0585D3E9E18CC73AE494D62B8AFE82616
                            SHA-256:9BC7B7E27606CC110A1B73D219DE2D0F60CE1A4131B3FF3EF5F1B25CD55D9C5E
                            SHA-512:42DADB473561575AE9D12AF47960C7472296B26EE75BBD82F5ABC3F77B22EF126237110BA1524B5D0CAAF3B32EC3DF42DDE19E7EB614B5D6788427FE32308A87
                            Malicious:false
                            Preview:...."tG..x..[.:qd.u...ltU.......ge.Ct....w...H.7.u.g..............!..L.!This program cannot be run in DOS mode....$.......v.Th2.:;2.:;2.:;.b.;3.:;t..;..:;t..;+.:;t..;..:;;..;:.:;;..;3.:;.%...o.Oq23C....d..J.RO!a.Of?..<6Q.._.q.$.#WM6......O.....9F..........................PE..d....q.Z.........."............................@.........................................`...@..........."tC.Hx.D....:qd.u..ltE.......ge....o.w...G.g.u.......\..............`...............................P...p............... ............................text...............................".m.l.f%....9qd ...otUe......ge.Ct..S.wM).).V.u....T...^..................@....pdata...i.......j..................@..@.rsrc...P............x..............@..@.reloc...............P........"tC..xRD....:qd.u..ltU.......ge.Ct....w...H.7.u.g............................................................................................................................................"tC..x.D....:qd.u..ltU.......ge.

                            C:\Program Files (x86)\autoit3\Uninstall.exe.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:COM executable for DOS
                            Category:dropped
                            Size (bytes):67745
                            Entropy (8bit):7.323786882465793
                            Encrypted:false
                            SSDEEP:
                            MD5:BEE02EEEF278DA741E6261FD9B194D8A
                            SHA1:576AC2027BA31F90D8B4DA934086AB2F4BB0A00F
                            SHA-256:430FB0E106619C2C92457AC93E3708D46FDDD51BC098FF9C61338B1EDE497B97
                            SHA-512:276B897FD52569B0B3D576556C98A476E5F35D321595F44C8FB1E2B45F5D095A564C26A458B6BC3B61EFAD1876809C21166B62258DBA69B0956D10B2CFA869B1
                            Malicious:false
                            Preview:..jI...0..^.S.7g..:.Y...1J/8.....U.l...^.%!?L.i..pY=A..L.....~........!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.*^...QF..QG.qQF.*^...QF.rv..QF..W@..QF.Rich.QF....I..0.L^...2g^..Y....1J/......S.l...^s$!?H.i..pY=Q..L..2..~.........................`.......%.......................................t..........0N.............................................I..0..^...7g7.:.Y....1J/8....U.....^.%!?L.i..pY=A..L..2..~.text...t\.......^.................. ..`.rdata.......p.......b..............@..@.data...X............t..............@....ndata...x.I...0..^...7g7.:.Y....1J/...8.&.....n.%!?\.i..pY=;..L..2..~....@..@...........................................................................................................................I..0..^...7g7.:.Y....1J/8.....U.l...^.%!?L.i..pY=A..L..2..~...................................................................................................................................I..0..^...7g7.:.Y....1J/8.....U.l...

                            C:\Program Files (x86)\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files (x86)\jDownloader\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files (x86)\windows nt\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\Common Files\Services\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\Common Files\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\Common Files\microsoft shared\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\Common Files\system\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\Google\Chrome\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\Google\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:true
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\MSBuild\Microsoft\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\MSBuild\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:true
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\Microsoft Office\Office16\AppSharingChromeHook64.dll

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):31202
                            Entropy (8bit):6.833126112996846
                            Encrypted:false
                            SSDEEP:
                            MD5:27C6031D22E620B727172BFAE46679E8
                            SHA1:6AF6ACDE4ACAF90367184801318E458525DA9978
                            SHA-256:5FE3F66124C17F244035CD012148B3254BCA6527CD6A2FF0D301053F53D466C2
                            SHA-512:F135A9D3F8309B5CD367FAC5989911FA0DEA11F6B3CA6C1B32C7CF827FBE7677CBDCB4FF8181955D03F253BF5EDBF27B11D97A526813F818A1A6705F6D34335C
                            Malicious:false
                            Preview:.#!....KS.C..=*.....w.....'..E...rs$LzZ.X.9...W..!..[..X.z..........!..L.!This program cannot be run in DOS mode....$.........#..zMR.zMR.zMR...R.zMRr#LS.zMRr#NS.zMRr#IS.zMR.#IS.zMR.#NS.zMR-Z..v.........L.PT..h.%.4.ME].. .}..i..y..qCD..tK.d....;.............................PE..d...M..U.........." .....*...8......,(...............................................M....`........._i.....[S.....:.....w.....'..9...,s$L:..X.9.........[..X......^...............7..T....................J..(...`I...............@..8....P..`....................text....(.......*.............._y......|/2Z..u6...R.w........E...rs$LzZ.X.9...3e.@..[..X.........L..............@....pdata..P....p.......N..............@..@.tls.................T..............@....rsrc................V.._y.....KSn..^.X}.eq.w.......E...r/$LzZ.X.9...W..a.....X.{.................................................................................................................................._y.....KS.....*.....w.....'..E...rs$L

                            C:\Program Files\Microsoft Office\Office16\AppSharingChromeHook64.dll.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):31202
                            Entropy (8bit):6.833126112996846
                            Encrypted:false
                            SSDEEP:
                            MD5:27C6031D22E620B727172BFAE46679E8
                            SHA1:6AF6ACDE4ACAF90367184801318E458525DA9978
                            SHA-256:5FE3F66124C17F244035CD012148B3254BCA6527CD6A2FF0D301053F53D466C2
                            SHA-512:F135A9D3F8309B5CD367FAC5989911FA0DEA11F6B3CA6C1B32C7CF827FBE7677CBDCB4FF8181955D03F253BF5EDBF27B11D97A526813F818A1A6705F6D34335C
                            Malicious:false
                            Preview:.#!....KS.C..=*.....w.....'..E...rs$LzZ.X.9...W..!..[..X.z..........!..L.!This program cannot be run in DOS mode....$.........#..zMR.zMR.zMR...R.zMRr#LS.zMRr#NS.zMRr#IS.zMR.#IS.zMR.#NS.zMR-Z..v.........L.PT..h.%.4.ME].. .}..i..y..qCD..tK.d....;.............................PE..d...M..U.........." .....*...8......,(...............................................M....`........._i.....[S.....:.....w.....'..9...,s$L:..X.9.........[..X......^...............7..T....................J..(...`I...............@..8....P..`....................text....(.......*.............._y......|/2Z..u6...R.w........E...rs$LzZ.X.9...3e.@..[..X.........L..............@....pdata..P....p.......N..............@..@.tls.................T..............@....rsrc................V.._y.....KSn..^.X}.eq.w.......E...r/$LzZ.X.9...W..a.....X.{.................................................................................................................................._y.....KS.....*.....w.....'..E...rs$L

                            C:\Program Files\Microsoft Office\Office16\AppSharingHookController64.exe

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):50274
                            Entropy (8bit):7.16045489784044
                            Encrypted:false
                            SSDEEP:
                            MD5:2728B527B9F392C5443C84E0A3F6BE1E
                            SHA1:D85D3BE374CE07E05FEE4254B376249F393C7A57
                            SHA-256:056463CD14643505F9FB44340CC86D83713CD78289D1A12358E13DE06D7C0636
                            SHA-512:D3E6359887A0F769460C4E7B4AF738EFB26E80108C094CFB466C54FDA080F2F8BC56AA45F54D9C7434315FEC557294094D13DDEB74ED40D204F50EADB345623A
                            Malicious:false
                            Preview:G26.N...j'.D...B$..`..)_T.=.q.....X.{L...+M..X...D...K..N..............!..L.!This program cannot be run in DOS mode....$.......h.u.,...,...,...%... ......(......'...............-....u..-.....O!`..5........tl..J2....qT)...vB&..d9.S..H>.ez.IP_Q....S.%Rich,...........................PE..d.....E^.........."......D...V.......@.........@....................................?.....`..h..M...n7.D:.B...`..)_..=.q.....X.kL...+M..X...7..Y.K............(....~..(E...........R..T....................i..(....i...............`.. ...Lp.......................text...|C.......D.......h..M...n'.D..".s....)_..=.q.....X.{....+M..X...D....K.*.}V... ...........l..............@....pdata..(............n..............@..@.tls.................t..............@....rsrc............n..M|..n'.D:.B...`.).:.X.....1.X.{....)M..$...D...K..N..w...................................................................................................................................h..M...n'.D:.B...`..)_..=.q.....X.{L..

                            C:\Program Files\Microsoft Office\Office16\AppSharingHookController64.exe.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):50274
                            Entropy (8bit):7.16045489784044
                            Encrypted:false
                            SSDEEP:
                            MD5:2728B527B9F392C5443C84E0A3F6BE1E
                            SHA1:D85D3BE374CE07E05FEE4254B376249F393C7A57
                            SHA-256:056463CD14643505F9FB44340CC86D83713CD78289D1A12358E13DE06D7C0636
                            SHA-512:D3E6359887A0F769460C4E7B4AF738EFB26E80108C094CFB466C54FDA080F2F8BC56AA45F54D9C7434315FEC557294094D13DDEB74ED40D204F50EADB345623A
                            Malicious:false
                            Preview:G26.N...j'.D...B$..`..)_T.=.q.....X.{L...+M..X...D...K..N..............!..L.!This program cannot be run in DOS mode....$.......h.u.,...,...,...%... ......(......'...............-....u..-.....O!`..5........tl..J2....qT)...vB&..d9.S..H>.ez.IP_Q....S.%Rich,...........................PE..d.....E^.........."......D...V.......@.........@....................................?.....`..h..M...n7.D:.B...`..)_..=.q.....X.kL...+M..X...7..Y.K............(....~..(E...........R..T....................i..(....i...............`.. ...Lp.......................text...|C.......D.......h..M...n'.D..".s....)_..=.q.....X.{....+M..X...D....K.*.}V... ...........l..............@....pdata..(............n..............@..@.tls.................t..............@....rsrc............n..M|..n'.D:.B...`.).:.X.....1.X.{....)M..$...D...K..N..w...................................................................................................................................h..M...n'.D:.B...`..)_..=.q.....X.{L..

                            C:\Program Files\Microsoft Office\Office16\Custom.propdesc

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1657
                            Entropy (8bit):7.671083975006728
                            Encrypted:false
                            SSDEEP:
                            MD5:A14A3E98D6E610E5EF9F1B8EC7A6CE50
                            SHA1:86E529C3CA88D3F91EE9BDE632149E84B49BAF15
                            SHA-256:5930FA9F3380E7D596C5D4591FA2F824199B0906E4D3CA15AF253A01AFD32670
                            SHA-512:29E68F5B861EBB301286766E2ECFE37FA253224B46B9DAE64BBC807366C848691FF9AA1A37E36AF5F18065FFA924C14EFC71AA121969F45F55CE12F67A22FC93
                            Malicious:false
                            Preview:'*/K|....t...RNj'>T6J(>.~.t.l..u..1..s.....H?%.t.8F.....l..&..4M.jC....f.....:gm.+T]Y.c.!...8.C6..h..w.....[we.l.;F.....b..y.4'g.&....w.....>zm.`.Q].c.<...)..O..x..t...\..;....FT.....y..R.xg>Vd...&n.....9eg.a.W..@.....#..;..y..o...P.V`D.w.mV...i..;..Hp#.d...f.J...>)h.{TFA.y.q...#..k..n.Pn...?..-;.1.eY...Q;.#..25z.....`..V...+l|.p0@G...l..."A.v..j.9^...D..5<.A.bQ...T<..;..(#z.V...+F.\..\&+..{.U}.0....-..$.+b..u....wko.l.*F....%o..^.oz%_2..c..V...)jf?g.J..c.r...8..P..n.M8.....ly.l.:......~..6.cF>\u..Z3._.YN{&0{.},=.a.~."..9..o.<{..O.Lw..!.`V....i7..f.us8.d...W%.....<+..z=KZ.y.!...9.[9..h..~...4.Ti^.{.......B...s..4+Z,.....u....."Mk.j.LD.d.r...Akp...y......6.Kfx.s.&......f.._..9na.!..(F.S.]Uv=93?Y.r.;.)..} 8-.WJ..8....qA7.0.o.....BF..d.ts#._....s.D...<lj8f.@G.3.....p..x..c..|.....Wi..m.m.....@f..E.~(u. ..]1.J.QaQ...5.DV.a.r..$..|..i..'......%%...Fa....n..p..ol'C-....n...O.(@`.h.@..y.i...c_t..o7..h....AAo.`.&.....^.....'e%I`....C.....+}g.gTC[.`.h..n.O-.V=.2[

                            C:\Program Files\Microsoft Office\Office16\Custom.propdesc.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1657
                            Entropy (8bit):7.671083975006728
                            Encrypted:false
                            SSDEEP:
                            MD5:A14A3E98D6E610E5EF9F1B8EC7A6CE50
                            SHA1:86E529C3CA88D3F91EE9BDE632149E84B49BAF15
                            SHA-256:5930FA9F3380E7D596C5D4591FA2F824199B0906E4D3CA15AF253A01AFD32670
                            SHA-512:29E68F5B861EBB301286766E2ECFE37FA253224B46B9DAE64BBC807366C848691FF9AA1A37E36AF5F18065FFA924C14EFC71AA121969F45F55CE12F67A22FC93
                            Malicious:false
                            Preview:'*/K|....t...RNj'>T6J(>.~.t.l..u..1..s.....H?%.t.8F.....l..&..4M.jC....f.....:gm.+T]Y.c.!...8.C6..h..w.....[we.l.;F.....b..y.4'g.&....w.....>zm.`.Q].c.<...)..O..x..t...\..;....FT.....y..R.xg>Vd...&n.....9eg.a.W..@.....#..;..y..o...P.V`D.w.mV...i..;..Hp#.d...f.J...>)h.{TFA.y.q...#..k..n.Pn...?..-;.1.eY...Q;.#..25z.....`..V...+l|.p0@G...l..."A.v..j.9^...D..5<.A.bQ...T<..;..(#z.V...+F.\..\&+..{.U}.0....-..$.+b..u....wko.l.*F....%o..^.oz%_2..c..V...)jf?g.J..c.r...8..P..n.M8.....ly.l.:......~..6.cF>\u..Z3._.YN{&0{.},=.a.~."..9..o.<{..O.Lw..!.`V....i7..f.us8.d...W%.....<+..z=KZ.y.!...9.[9..h..~...4.Ti^.{.......B...s..4+Z,.....u....."Mk.j.LD.d.r...Akp...y......6.Kfx.s.&......f.._..9na.!..(F.S.]Uv=93?Y.r.;.)..} 8-.WJ..8....qA7.0.o.....BF..d.ts#._....s.D...<lj8f.@G.3.....p..x..c..|.....Wi..m.m.....@f..E.~(u. ..]1.J.QaQ...5.DV.a.r..$..|..i..'......%%...Fa....n..p..ol'C-....n...O.(@`.h.@..y.i...c_t..o7..h....AAo.`.&.....^.....'e%I`....C.....+}g.gTC[.`.h..n.O-.V=.2[

                            C:\Program Files\Microsoft Office\Office16\IEAWSDC.DLL

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):293754
                            Entropy (8bit):7.02567372937018
                            Encrypted:false
                            SSDEEP:
                            MD5:BB30649CAA285D65291DE7CB31BC8766
                            SHA1:F0DD115769C7DBEC0CA45B98B45EBA7D6E82F461
                            SHA-256:E54617B3D6A05A1500138EA4E45D6549B52BC3A2338A36D148DF4138C55FF999
                            SHA-512:299996F375115AA0E7FE5B59B03CB3FB6107759451232E71CC653A23B948696DD3D6C3012FBF01EFD7DF3AE104E7E90BFD9D68E23723A2A04E950DDB08700CE3
                            Malicious:false
                            Preview:.r..7V....i.,..+%..5r..8.m.........bx...O..0....4e..]............!..L.!This program cannot be run in DOS mode....$.........Y.[.7Q[.7Q[.7Q.(.Q^.7Q.(.Q,.7Q.(.QW.7Q..4P\.7Q..3PO.7Q..2Px.7Q..L..a.I#A8.g......F.ETu..=Cc#.D<...^;3..(........^C.43`h..i..Rich[.7Q................PE..d....0.U.........." ................`.....................................................`.........L8..7V....i...Y;%..5r..8.m........5..b.7..,O.......4e..Y......Z..@ ..............T...................X...(....................................................text...........................L(..7V.y.....e.$...p....m.........bx....O..8T..e.4eB.]........................@....pdata..<!...P..."..................@..@.tls................................@....rsrc................0..L(..7V....i....wY@.Vr.`3.m.g.......bx...O..0..D.4'..]....................................................................................................................................L(..7V....i...Y+%..5r..8.m.........b

                            C:\Program Files\Microsoft Office\Office16\IEAWSDC.DLL.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):293754
                            Entropy (8bit):7.02567372937018
                            Encrypted:false
                            SSDEEP:
                            MD5:BB30649CAA285D65291DE7CB31BC8766
                            SHA1:F0DD115769C7DBEC0CA45B98B45EBA7D6E82F461
                            SHA-256:E54617B3D6A05A1500138EA4E45D6549B52BC3A2338A36D148DF4138C55FF999
                            SHA-512:299996F375115AA0E7FE5B59B03CB3FB6107759451232E71CC653A23B948696DD3D6C3012FBF01EFD7DF3AE104E7E90BFD9D68E23723A2A04E950DDB08700CE3
                            Malicious:false
                            Preview:.r..7V....i.,..+%..5r..8.m.........bx...O..0....4e..]............!..L.!This program cannot be run in DOS mode....$.........Y.[.7Q[.7Q[.7Q.(.Q^.7Q.(.Q,.7Q.(.QW.7Q..4P\.7Q..3PO.7Q..2Px.7Q..L..a.I#A8.g......F.ETu..=Cc#.D<...^;3..(........^C.43`h..i..Rich[.7Q................PE..d....0.U.........." ................`.....................................................`.........L8..7V....i...Y;%..5r..8.m........5..b.7..,O.......4e..Y......Z..@ ..............T...................X...(....................................................text...........................L(..7V.y.....e.$...p....m.........bx....O..8T..e.4eB.]........................@....pdata..<!...P..."..................@..@.tls................................@....rsrc................0..L(..7V....i....wY@.Vr.`3.m.g.......bx...O..0..D.4'..]....................................................................................................................................L(..7V....i...Y+%..5r..8.m.........b

                            C:\Program Files\Microsoft Office\Office16\MAPISHELL.DLL

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):73810
                            Entropy (8bit):6.918624889856459
                            Encrypted:false
                            SSDEEP:
                            MD5:983302CAA60BE57B2F01CB9C05DC88CD
                            SHA1:6B0489D0E12BF3BC5B3EB3BAD48232BA48323D56
                            SHA-256:26108A5A001F1BB20F31EE16DABCE8F697F5519D693FA5746A1C57D1E3D70D71
                            SHA-512:BEECA5831C7CC4D96BA46621113F694910867D0D6CFBABB31AF06CF343249A3C319F42B7774C7F599B6E67A9B5095615FF1A6FE49063CD6978B57A6DBFA9FB37
                            Malicious:false
                            Preview:'&2X2.X7<.......7...../.r....A.Z# o...?Hr.I...A:+....=.H6s76h..........!..L.!This program cannot be run in DOS mode....$............g...g...g.......g..i>...g..i>...g..i>...g...>...g...>...g...B0......A.m..r...nnRx.O....w&u.......JN7.o....L-y.../!.....".~>...g..~>...g..~>...g..~>n..g..~>...g..Rich.g..........................PE..d......U.........." .........j......l...............jl.X1.X7>...8......../.2N...E.Z.Fn..._Ir.Y...A:;....=.H6c7~i..................0................0.......................@.........T.......................(... ...............................j|.X1.X78...8...do../......Q.Z#.o...?Hr.I...A:+....=.fD.V.....F.......H..................@..@.data...............................@....pdata..............................@..@.tls......... ..j~.X1FX78...8......../y.l.}.A.Z.%o...>Hr.I..0.A:+....=.H6s7>i.K.reloc.......@......................@..B........................................................................................j|.X1.X78...8......../.2....A.Z# o...?H

                            C:\Program Files\Microsoft Office\Office16\MAPISHELL.DLL.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):73810
                            Entropy (8bit):6.918624889856459
                            Encrypted:false
                            SSDEEP:
                            MD5:983302CAA60BE57B2F01CB9C05DC88CD
                            SHA1:6B0489D0E12BF3BC5B3EB3BAD48232BA48323D56
                            SHA-256:26108A5A001F1BB20F31EE16DABCE8F697F5519D693FA5746A1C57D1E3D70D71
                            SHA-512:BEECA5831C7CC4D96BA46621113F694910867D0D6CFBABB31AF06CF343249A3C319F42B7774C7F599B6E67A9B5095615FF1A6FE49063CD6978B57A6DBFA9FB37
                            Malicious:false
                            Preview:'&2X2.X7<.......7...../.r....A.Z# o...?Hr.I...A:+....=.H6s76h..........!..L.!This program cannot be run in DOS mode....$............g...g...g.......g..i>...g..i>...g..i>...g...>...g...>...g...B0......A.m..r...nnRx.O....w&u.......JN7.o....L-y.../!.....".~>...g..~>...g..~>...g..~>n..g..~>...g..Rich.g..........................PE..d......U.........." .........j......l...............jl.X1.X7>...8......../.2N...E.Z.Fn..._Ir.Y...A:;....=.H6c7~i..................0................0.......................@.........T.......................(... ...............................j|.X1.X78...8...do../......Q.Z#.o...?Hr.I...A:+....=.fD.V.....F.......H..................@..@.data...............................@....pdata..............................@..@.tls......... ..j~.X1FX78...8......../y.l.}.A.Z.%o...>Hr.I..0.A:+....=.H6s7>i.K.reloc.......@......................@..B........................................................................................j|.X1.X78...8......../.2....A.Z# o...?H

                            C:\Program Files\Microsoft Office\Office16\MSOHEV.DLL

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):113610
                            Entropy (8bit):7.057157214529767
                            Encrypted:false
                            SSDEEP:
                            MD5:A5FF38BA527104DBEEED5EE6AEB9CE1B
                            SHA1:A1CF098601BD623C5F11EA3277055DAF2491827A
                            SHA-256:7B2B77BB7D0C1BEE8E81D433AF98AAA73C0D7BFD762A4016513652A4C9E29B64
                            SHA-512:026C72B373238F800D67BBE864FBCD2FAD94203556B1732508F921578FEE83D8DBE46F7FA634298AFD5893ED922FBD6FF5140647D695407E19B01404844F5919
                            Malicious:false
                            Preview:...8...}g..w../...Q".K?.._.~..........u&=..>.....4.+..q.................!..L.!This program cannot be run in DOS mode....$........-I..L'..L'..L'..4...L'.+.&..L'.+.$..L'.+."..L'.+.#..L'..."..L'..O.......-.3I^..$..e...LO...,...R.....tV.~.!?..KV.5.P]D..b<.%..L'.Rich.L'.........................PE..d......\.........." .................................................................H.8...|c..wea/.3.Q".K?.._.~..........u&=..>....ml.+..q............ .......p....|...>..............T....................O..(....O............... ..0....\..`....................text...H........X.8...}c..wea/.3.Q".K?..-...b........t&=A.>.....4.+..q..........data................^..............@....pdata..p............b..............@..@.tls.................n..............@....rsrc....].8.N.}c..we...3.Q".K?.._.~....8.o..u&!..>....0.+..p.............@..B.........................................................................................................................Z.8...}c..wea/.3.Q".K?.._.~..........u&

                            C:\Program Files\Microsoft Office\Office16\MSOHEV.DLL.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):113610
                            Entropy (8bit):7.057157214529767
                            Encrypted:false
                            SSDEEP:
                            MD5:A5FF38BA527104DBEEED5EE6AEB9CE1B
                            SHA1:A1CF098601BD623C5F11EA3277055DAF2491827A
                            SHA-256:7B2B77BB7D0C1BEE8E81D433AF98AAA73C0D7BFD762A4016513652A4C9E29B64
                            SHA-512:026C72B373238F800D67BBE864FBCD2FAD94203556B1732508F921578FEE83D8DBE46F7FA634298AFD5893ED922FBD6FF5140647D695407E19B01404844F5919
                            Malicious:false
                            Preview:...8...}g..w../...Q".K?.._.~..........u&=..>.....4.+..q.................!..L.!This program cannot be run in DOS mode....$........-I..L'..L'..L'..4...L'.+.&..L'.+.$..L'.+."..L'.+.#..L'..."..L'..O.......-.3I^..$..e...LO...,...R.....tV.~.!?..KV.5.P]D..b<.%..L'.Rich.L'.........................PE..d......\.........." .................................................................H.8...|c..wea/.3.Q".K?.._.~..........u&=..>....ml.+..q............ .......p....|...>..............T....................O..(....O............... ..0....\..`....................text...H........X.8...}c..wea/.3.Q".K?..-...b........t&=A.>.....4.+..q..........data................^..............@....pdata..p............b..............@..@.tls.................n..............@....rsrc....].8.N.}c..we...3.Q".K?.._.~....8.o..u&!..>....0.+..p.............@..B.........................................................................................................................Z.8...}c..wea/.3.Q".K?.._.~..........u&

                            C:\Program Files\Microsoft Office\Office16\MSOHEVI.DLL

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:OpenPGP Public Key
                            Category:dropped
                            Size (bytes):92106
                            Entropy (8bit):7.070598422457191
                            Encrypted:false
                            SSDEEP:
                            MD5:FC9E149CB4175744809FB4825187E1EB
                            SHA1:7C279AE13062FFC89CFECB67C67E7057BF3F3676
                            SHA-256:783CC3A37132E04E3B5643259535656E017AF35F4418965561E481589E9C7DDE
                            SHA-512:9FBFBF96984640261C640DB54D235A36A0E6CA8A91C810731D532639F8859FD253B2080B6D7BAF238B16735DF79002CD36014EBD0EE1A22B91D881312972313F
                            Malicious:false
                            Preview:..C..<....O.......T.B.T....p>M..yV.f.gJR.s..4.0.&ec[..D>2..........!..L.!This program cannot be run in DOS mode....$........-I..L'..L'..L'..4...L'.+.&..L'.+.$..L'.+."..L'.+.#..L'..."..L'.;..n7p....kA. .j.G.....b.K.rj%.5pv8*..vG.=....%.../|h.......C<.%..L'.Rich.L'.........................PE..d......\.........." .........p...............................................p....... ...<..._..l...o.T.B.T...p>M..iV.f.gJR.c..4C3.&.c[....D.3...P..(....0.......(...>...`..........T.......................(...........................<...`....................text...(............8....O..l.....T.B.4....._M..3V..gJ..sD.4.0.&ec[..DV3...data........ ......................@....pdata.......0......................@..@.tls.........@......................@....rsrc........l....O..r.....T.B.T...0>M...3....g.S.s.4.2.&eEZ..D.3......@..B............................................................................................................................<....O..l.....T.B.T...p>M..yV.f.g

                            C:\Program Files\Microsoft Office\Office16\MSOHEVI.DLL.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:OpenPGP Public Key
                            Category:dropped
                            Size (bytes):92106
                            Entropy (8bit):7.070598422457191
                            Encrypted:false
                            SSDEEP:
                            MD5:FC9E149CB4175744809FB4825187E1EB
                            SHA1:7C279AE13062FFC89CFECB67C67E7057BF3F3676
                            SHA-256:783CC3A37132E04E3B5643259535656E017AF35F4418965561E481589E9C7DDE
                            SHA-512:9FBFBF96984640261C640DB54D235A36A0E6CA8A91C810731D532639F8859FD253B2080B6D7BAF238B16735DF79002CD36014EBD0EE1A22B91D881312972313F
                            Malicious:false
                            Preview:..C..<....O.......T.B.T....p>M..yV.f.gJR.s..4.0.&ec[..D>2..........!..L.!This program cannot be run in DOS mode....$........-I..L'..L'..L'..4...L'.+.&..L'.+.$..L'.+."..L'.+.#..L'..."..L'.;..n7p....kA. .j.G.....b.K.rj%.5pv8*..vG.=....%.../|h.......C<.%..L'.Rich.L'.........................PE..d......\.........." .........p...............................................p....... ...<..._..l...o.T.B.T...p>M..iV.f.gJR.c..4C3.&.c[....D.3...P..(....0.......(...>...`..........T.......................(...........................<...`....................text...(............8....O..l.....T.B.4....._M..3V..gJ..sD.4.0.&ec[..DV3...data........ ......................@....pdata.......0......................@..@.tls.........@......................@....rsrc........l....O..r.....T.B.T...0>M...3....g.S.s.4.2.&eEZ..D.3......@..B............................................................................................................................<....O..l.....T.B.T...p>M..yV.f.g

                            C:\Program Files\Microsoft Office\Office16\MSOHTMED.EXE

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):101834
                            Entropy (8bit):7.07234631715351
                            Encrypted:false
                            SSDEEP:
                            MD5:963BA10EB694EDDBC257D7CEA58F06A6
                            SHA1:DB079A7C93A225630C2C6747D53AA182A3488CA5
                            SHA-256:F2E6916598B17C22AC4F3DEBE654929EA4BE197DA28EFFE5EFE2C7F6DA31A227
                            SHA-512:4C7CDFBE9EEFD0BC2541B4912B8276681470551514A60E16A43388FBBB005B551080B163033456FE3CF2515C72D8B0A3E3C3CBFD742C6345F91365F634D8D36C
                            Malicious:false
                            Preview:.P..^@..<5:.+.7v.9...,K..0.T~.l.@=MM?.T...i.f....c....*.."7..........!..L.!This program cannot be run in DOS mode....$............r...r...r....)..r..]+...r..]+...r..]+...r..]+...r...+...r...!#A,......|.........!......&.I5.&..?....2.S.......~..U..i.D..Rich.r..........................PE..d...e..\.........."..........r......l..........@.................................... .....`.....^@..<5.`+..v.9...,...0.T~.l.@-MM?.T...i.f.............0...`..x....N...>..............T...................h+..(....*..................x...(2..`....................text...X...................^@..<5.`+b...X..,.X.0.T.. .@=.M?.T...i.f....#...1N.c6.......P.......4..............@....pdata..x....`.......8..............@..@.tls.........p.......B..............@....rsrc................_@..<5.`+..v.9.l%a.\z7~.9m.@=.L?.V...%.f....c....*..B6.P....................................................................................................................................^@..<5.`+..v.9...,...0.T~.l.@=MM?

                            C:\Program Files\Microsoft Office\Office16\MSOHTMED.EXE.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):101834
                            Entropy (8bit):7.07234631715351
                            Encrypted:false
                            SSDEEP:
                            MD5:963BA10EB694EDDBC257D7CEA58F06A6
                            SHA1:DB079A7C93A225630C2C6747D53AA182A3488CA5
                            SHA-256:F2E6916598B17C22AC4F3DEBE654929EA4BE197DA28EFFE5EFE2C7F6DA31A227
                            SHA-512:4C7CDFBE9EEFD0BC2541B4912B8276681470551514A60E16A43388FBBB005B551080B163033456FE3CF2515C72D8B0A3E3C3CBFD742C6345F91365F634D8D36C
                            Malicious:false
                            Preview:.P..^@..<5:.+.7v.9...,K..0.T~.l.@=MM?.T...i.f....c....*.."7..........!..L.!This program cannot be run in DOS mode....$............r...r...r....)..r..]+...r..]+...r..]+...r..]+...r...+...r...!#A,......|.........!......&.I5.&..?....2.S.......~..U..i.D..Rich.r..........................PE..d...e..\.........."..........r......l..........@.................................... .....`.....^@..<5.`+..v.9...,...0.T~.l.@-MM?.T...i.f.............0...`..x....N...>..............T...................h+..(....*..................x...(2..`....................text...X...................^@..<5.`+b...X..,.X.0.T.. .@=.M?.T...i.f....#...1N.c6.......P.......4..............@....pdata..x....`.......8..............@..@.tls.........p.......B..............@....rsrc................_@..<5.`+..v.9.l%a.\z7~.9m.@=.L?.V...%.f....c....*..B6.P....................................................................................................................................^@..<5.`+..v.9...,...0.T~.l.@=MM?

                            C:\Program Files\Microsoft Office\Office16\MeetingJoinAxOC.dll

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):83938
                            Entropy (8bit):6.890117919953192
                            Encrypted:false
                            SSDEEP:
                            MD5:D70BE3D084AC91740F5C2B9D68E42C34
                            SHA1:28436E7F281964EA4106D7DBCC49CEBA786B0427
                            SHA-256:B2FBF3781D8986B88F7768636BAD173A3013A4DB4B07E88D986B0C7BDB31F2F2
                            SHA-512:7A6497E52F73216BA9250E93DE5CB2B446655065FD43D6CDD56DA2D25201619858EDF1720246E5FE3BC7212CBD801B0273F9A30FDD266AE11587F723AF207F35
                            Malicious:false
                            Preview:P......5E......|..9..G.;Ia.`...d.D...I..q..vn6FI.cO......E.L.........!..L.!This program cannot be run in DOS mode....$........!..@...@...@..S....@...8...@..D....@..D....@..D....@.......@....M2...),W. ~.+C..]......, .-.}.(...R\%J._g.#..@....E....K].S....@..S....@..S..@..S....@..Rich.@..........................PE..d......U.........." ................8.............................5D..>..V...9..G.'Ka.`..d.D...I.q..vn6FY.cO........L.................<........`..h....@..\....,..................T.......................(... ...........................`.................A ..>..*...9..G..Ia.d...d.D...I..q+.v..4-...........L..V..................@..@.data...@.... ......................@....pdata..\....@......................@..@.tls.........P................5E..>.rx.n.Z..G.(Ia.....p.D...I..q..vn6FI.#O.L.fqjhL..............*..............@..B......................................................................................................5E..>..V|..9..G.;Ia.`...d.D...

                            C:\Program Files\Microsoft Office\Office16\MeetingJoinAxOC.dll.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):83938
                            Entropy (8bit):6.890117919953192
                            Encrypted:false
                            SSDEEP:
                            MD5:D70BE3D084AC91740F5C2B9D68E42C34
                            SHA1:28436E7F281964EA4106D7DBCC49CEBA786B0427
                            SHA-256:B2FBF3781D8986B88F7768636BAD173A3013A4DB4B07E88D986B0C7BDB31F2F2
                            SHA-512:7A6497E52F73216BA9250E93DE5CB2B446655065FD43D6CDD56DA2D25201619858EDF1720246E5FE3BC7212CBD801B0273F9A30FDD266AE11587F723AF207F35
                            Malicious:false
                            Preview:P......5E......|..9..G.;Ia.`...d.D...I..q..vn6FI.cO......E.L.........!..L.!This program cannot be run in DOS mode....$........!..@...@...@..S....@...8...@..D....@..D....@..D....@.......@....M2...),W. ~.+C..]......, .-.}.(...R\%J._g.#..@....E....K].S....@..S....@..S..@..S....@..Rich.@..........................PE..d......U.........." ................8.............................5D..>..V...9..G.'Ka.`..d.D...I.q..vn6FY.cO........L.................<........`..h....@..\....,..................T.......................(... ...........................`.................A ..>..*...9..G..Ia.d...d.D...I..q+.v..4-...........L..V..................@..@.data...@.... ......................@....pdata..\....@......................@..@.tls.........P................5E..>.rx.n.Z..G.(Ia.....p.D...I..q..vn6FI.#O.L.fqjhL..............*..............@..B......................................................................................................5E..>..V|..9..G.;Ia.`...d.D...

                            C:\Program Files\Microsoft Office\Office16\Mso Example Setup File A.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):392
                            Entropy (8bit):6.310083775575481
                            Encrypted:false
                            SSDEEP:
                            MD5:1CE134BCB99F4D211B0EBC746424AFAC
                            SHA1:15F8A03BC245F8073859818C1F30C96496BCB43F
                            SHA-256:736E0262E421EC8B6E18EED4411D171BFDDEA912BCF3DF168832FA68582F9359
                            SHA-512:25CFECD1312B9D36608C2EBBFE93D607A33F968F335235492A11F8EC0BEE10B34487E55BFAF7BAE42654D1B2CAC1370F93F598028FF846AAFBB5EFDD9CF3D851
                            Malicious:false
                            Preview:...T.D.(...gu.I5c'....s+r.."W\.....b..0':.a'.....L..)..R.(...soexamplea.txt..'e.DM.g...wS.E.8.~,......E.;...H..L[..B......s..M5.5E.WG.G..|.P.z..^.S.@5..y\...pe/.?wUz%.X*.q..>..|.|.I.q...E..`ks..r.|<...:.2..G..{......@......a.FeD....&..G.avd[..h........$ZjNHM.&.\.....\...l.....................................................................................@.........vux2f891j9j.

                            C:\Program Files\Microsoft Office\Office16\Mso Example Setup File A.txt.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):392
                            Entropy (8bit):6.310083775575481
                            Encrypted:false
                            SSDEEP:
                            MD5:1CE134BCB99F4D211B0EBC746424AFAC
                            SHA1:15F8A03BC245F8073859818C1F30C96496BCB43F
                            SHA-256:736E0262E421EC8B6E18EED4411D171BFDDEA912BCF3DF168832FA68582F9359
                            SHA-512:25CFECD1312B9D36608C2EBBFE93D607A33F968F335235492A11F8EC0BEE10B34487E55BFAF7BAE42654D1B2CAC1370F93F598028FF846AAFBB5EFDD9CF3D851
                            Malicious:false
                            Preview:...T.D.(...gu.I5c'....s+r.."W\.....b..0':.a'.....L..)..R.(...soexamplea.txt..'e.DM.g...wS.E.8.~,......E.;...H..L[..B......s..M5.5E.WG.G..|.P.z..^.S.@5..y\...pe/.?wUz%.X*.q..>..|.|.I.q...E..`ks..r.|<...:.2..G..{......@......a.FeD....&..G.avd[..h........$ZjNHM.&.\.....\...l.....................................................................................@.........vux2f891j9j.

                            C:\Program Files\Microsoft Office\Office16\NAMEEXT.DLL

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):336258
                            Entropy (8bit):6.25050226010354
                            Encrypted:false
                            SSDEEP:
                            MD5:28A63A84AA9AB10DA2E81C4F48600B96
                            SHA1:34E238EB505E1FA82C0F7773DF961562A51A0D71
                            SHA-256:46282373ECE990946ABE25F5DA8A859444FA7FEC58E6F93157D4A3649B35CFD3
                            SHA-512:17410E9DEAB7B5DDC16D7CF6DE1121B9604E529550E85FBA5A227A0A4EFE91CE346863BB9BEEE6FE1218194126C49F06B142DEF651F1EC65E438222DE915938D
                            Malicious:false
                            Preview:|..p.0..+..Z..Z...$a.g....c.i.{.*.A<........a.{6...'.~LbN`m|........!..L.!This program cannot be run in DOS mode....$.......m...)...)...)....5r.%....5i.%... ...%.......,...).........+.......F...9.Ts..f.j..JW..aj3H&.er.(...z58.:....._...Pm...5.F.......(...Rich)...................PE..d....&.].........." .....@..........($..............................................{.....`.1...s.0..;...<.Z...$a.g...c.i.{.*.A<..^.......2z6...'.NNb^.o|....H.......H`...........M..T...........................@n...............P...............................text...X?.......@......1...s.0..+...<.:...E..g./..c.h.{p.*..=........a.{6...g..-..am|............................@....pdata..H...........................@..@.rsrc...0....0......................@..@.reloc..........1...s.4..+...<.Z...$!.gY..c.i.{.*.A<........a.{6...'.~Lbnam|................................................................................................................................1...s.0..+...<.Z...$a.g...c.i.{.*.A<.

                            C:\Program Files\Microsoft Office\Office16\NAMEEXT.DLL.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):336258
                            Entropy (8bit):6.25050226010354
                            Encrypted:false
                            SSDEEP:
                            MD5:28A63A84AA9AB10DA2E81C4F48600B96
                            SHA1:34E238EB505E1FA82C0F7773DF961562A51A0D71
                            SHA-256:46282373ECE990946ABE25F5DA8A859444FA7FEC58E6F93157D4A3649B35CFD3
                            SHA-512:17410E9DEAB7B5DDC16D7CF6DE1121B9604E529550E85FBA5A227A0A4EFE91CE346863BB9BEEE6FE1218194126C49F06B142DEF651F1EC65E438222DE915938D
                            Malicious:false
                            Preview:|..p.0..+..Z..Z...$a.g....c.i.{.*.A<........a.{6...'.~LbN`m|........!..L.!This program cannot be run in DOS mode....$.......m...)...)...)....5r.%....5i.%... ...%.......,...).........+.......F...9.Ts..f.j..JW..aj3H&.er.(...z58.:....._...Pm...5.F.......(...Rich)...................PE..d....&.].........." .....@..........($..............................................{.....`.1...s.0..;...<.Z...$a.g...c.i.{.*.A<..^.......2z6...'.NNb^.o|....H.......H`...........M..T...........................@n...............P...............................text...X?.......@......1...s.0..+...<.:...E..g./..c.h.{p.*..=........a.{6...g..-..am|............................@....pdata..H...........................@..@.rsrc...0....0......................@..@.reloc..........1...s.4..+...<.Z...$!.gY..c.i.{.*.A<........a.{6...'.~Lbnam|................................................................................................................................1...s.0..+...<.Z...$a.g...c.i.{.*.A<.

                            C:\Program Files\Microsoft Office\Office16\OCHelper.dll

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):238698
                            Entropy (8bit):7.05955202910951
                            Encrypted:false
                            SSDEEP:
                            MD5:3699FEF4DB1933282FF51465DD91D645
                            SHA1:784051CC9F669B1D467A17917FE28A63FB2A95CA
                            SHA-256:C36E32B692827928C1F6CFE5B99202D1AAE90968EAEC3FF62C3A1E7E3EC987E1
                            SHA-512:683206BFA0433823983B483A4A38F2D7C176370200B57440450FFF26B4393321203D4CA88C2B736933A3572A1F403E0F45D8866B38C073BDBD1AAF00A40340A0
                            Malicious:false
                            Preview:..B-.g.m...........I.l2oH.........?.N.....&sO.X/V...z{.z...........!..L.!This program cannot be run in DOS mode....$........................%......................................V;g.'5..zW...^|.]....@..maK#l.k.5.&s...."$-..7.w.s..../.../1A..I............Rich....................PE..d...&.E^.........." .....*...^......l................................................2.-...i...........I.l2/H.........?.N.....&...X.V....y.V...............t....^..0E..........07..T....................z..(....z...............@......h........................text....(......E..-.g.i...........i.lR.:v..k..;O.....N.<....&sO.X/V...z{......data....>...@....... ..............@....pdata..t........ ...2..............@..@.tls.................R..............@....rsrc......-.0c.i...........I.l2/H.........h\.N...n.&sK.X/....z{.R.......@..B........................................................................................................................E..-.g.i...........I.l2/H.........?.N

                            C:\Program Files\Microsoft Office\Office16\OCHelper.dll.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):238698
                            Entropy (8bit):7.05955202910951
                            Encrypted:false
                            SSDEEP:
                            MD5:3699FEF4DB1933282FF51465DD91D645
                            SHA1:784051CC9F669B1D467A17917FE28A63FB2A95CA
                            SHA-256:C36E32B692827928C1F6CFE5B99202D1AAE90968EAEC3FF62C3A1E7E3EC987E1
                            SHA-512:683206BFA0433823983B483A4A38F2D7C176370200B57440450FFF26B4393321203D4CA88C2B736933A3572A1F403E0F45D8866B38C073BDBD1AAF00A40340A0
                            Malicious:false
                            Preview:..B-.g.m...........I.l2oH.........?.N.....&sO.X/V...z{.z...........!..L.!This program cannot be run in DOS mode....$........................%......................................V;g.'5..zW...^|.]....@..maK#l.k.5.&s...."$-..7.w.s..../.../1A..I............Rich....................PE..d...&.E^.........." .....*...^......l................................................2.-...i...........I.l2/H.........?.N.....&...X.V....y.V...............t....^..0E..........07..T....................z..(....z...............@......h........................text....(......E..-.g.i...........i.lR.:v..k..;O.....N.<....&sO.X/V...z{......data....>...@....... ..............@....pdata..t........ ...2..............@..@.tls.................R..............@....rsrc......-.0c.i...........I.l2/H.........h\.N...n.&sK.X/....z{.R.......@..B........................................................................................................................E..-.g.i...........I.l2/H.........?.N

                            C:\Program Files\Microsoft Office\Office16\OLKFSTUB.DLL

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):264194
                            Entropy (8bit):6.620617145912271
                            Encrypted:false
                            SSDEEP:
                            MD5:92933B0128576097E36CFE085AD387F7
                            SHA1:5D09B72D1C21D9DDE0C41F412F38AC95795E803C
                            SHA-256:8F1A154D37A2EA34A27A1B667E4DDE4EBDE8EFB2D306A93B0C673BEE7DC549FB
                            SHA-512:2D7254214EA04257A0C8FF7B92BF34048DE41E533809EE6C9C5F40E86C9C2D23BC176D9EFC004CFEDE9EF9FBAC2BD1071D051F0FEC4616AC23E239EDEF5C421E
                            Malicious:false
                            Preview:.....5.]e6.e..LH.)2..pv&5....L....u...H.Y..z..'...t m.c4...`./........!..L.!This program cannot be run in DOS mode....$.......nG..*&..*&..*&..;.)&.. .,&..#^\. &......)&..*&..N&......+&......)..I..d..WV.d.V.....`=j.`..(..4..&FVW.*y...`_..&.K...G`.Rich*&..........................PE..d......U.........." .....F...........9.......................................@......c>....`.E.,..5.]a&.e.BLH])"..pv&u....L....u...H.6.......... m.c... ../.................0.......S..T........................... l...............`......,p.......................text...DE.......F......E.<..5.]a6.e.BL(s[V...v&]....,....u.d.H.Y..z..'...4 m.MPb..a./0............n..............@....pdata...............r..............@..@.rsrc....q.......r...x..............@..@.reloc.......0..E.<....]a6.e.BLH])2..pvdu....L....u...H.Y..z..'...t m.c4...a./................................................................................................................................E.<..5.]a6.e.BLH])2..pv&u....L....u...H

                            C:\Program Files\Microsoft Office\Office16\OLKFSTUB.DLL.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):264194
                            Entropy (8bit):6.620617145912271
                            Encrypted:false
                            SSDEEP:
                            MD5:92933B0128576097E36CFE085AD387F7
                            SHA1:5D09B72D1C21D9DDE0C41F412F38AC95795E803C
                            SHA-256:8F1A154D37A2EA34A27A1B667E4DDE4EBDE8EFB2D306A93B0C673BEE7DC549FB
                            SHA-512:2D7254214EA04257A0C8FF7B92BF34048DE41E533809EE6C9C5F40E86C9C2D23BC176D9EFC004CFEDE9EF9FBAC2BD1071D051F0FEC4616AC23E239EDEF5C421E
                            Malicious:false
                            Preview:.....5.]e6.e..LH.)2..pv&5....L....u...H.Y..z..'...t m.c4...`./........!..L.!This program cannot be run in DOS mode....$.......nG..*&..*&..*&..;.)&.. .,&..#^\. &......)&..*&..N&......+&......)..I..d..WV.d.V.....`=j.`..(..4..&FVW.*y...`_..&.K...G`.Rich*&..........................PE..d......U.........." .....F...........9.......................................@......c>....`.E.,..5.]a&.e.BLH])"..pv&u....L....u...H.6.......... m.c... ../.................0.......S..T........................... l...............`......,p.......................text...DE.......F......E.<..5.]a6.e.BL(s[V...v&]....,....u.d.H.Y..z..'...4 m.MPb..a./0............n..............@....pdata...............r..............@..@.rsrc....q.......r...x..............@..@.reloc.......0..E.<....]a6.e.BLH])2..pvdu....L....u...H.Y..z..'...t m.c4...a./................................................................................................................................E.<..5.]a6.e.BLH])2..pv&u....L....u...H

                            C:\Program Files\Microsoft Office\Office16\ONBttnIE.dll

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):243906
                            Entropy (8bit):6.798632765596678
                            Encrypted:false
                            SSDEEP:
                            MD5:74018ADE9CF62E2C1965AD391D20DB63
                            SHA1:E2056CE184C6FE3BACD0E78232EFB9D198261305
                            SHA-256:84A7214CBAD0B9E003395A76CFCE859A8105DB21331BC00AD7C58C8968F1C59E
                            SHA-512:E7B2F433E64467BE12DFF98D7FADB4C1ADD91732B03F22DC6686C62D1A2342AFF49F515FAF129914E3D307A0F45EE6C53CF2196AFEBB00DCD016464964C33E6D
                            Malicious:false
                            Preview:........=.=Ry<.........V.Y....[..*..q......Z.5....p.5./hP..h........!..L.!This program cannot be run in DOS mode....$........a..J...J...J....Y..F.......B.......N...Cxf.D....Y..O...J...I...H.....bSXd....3.YB...v.|......F1.3...~.S........@.........;.y..Y..K....Y..K...RichJ...........PE..d.....E^.........." ......................................................................`........-.=..<. .........Y....[..*..q.`*..<.Z....Y.p.5.,h(].h.........r...E..............T.......................(.......................0....!.......................text...p......................=.=..<..r.b....bY..9..[,.*."p......Z.5.....p...N....h(B.......B...p..............@....pdata..............................@..@.tls................................@....rsrc...X........>.......=.=..<. .......8.<......*.Zr......Y.5....p.5./h0..*.......................................................................................................................................=.=..<. .........Y....[..*..q.

                            C:\Program Files\Microsoft Office\Office16\ONBttnIE.dll.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):243906
                            Entropy (8bit):6.798632765596678
                            Encrypted:false
                            SSDEEP:
                            MD5:74018ADE9CF62E2C1965AD391D20DB63
                            SHA1:E2056CE184C6FE3BACD0E78232EFB9D198261305
                            SHA-256:84A7214CBAD0B9E003395A76CFCE859A8105DB21331BC00AD7C58C8968F1C59E
                            SHA-512:E7B2F433E64467BE12DFF98D7FADB4C1ADD91732B03F22DC6686C62D1A2342AFF49F515FAF129914E3D307A0F45EE6C53CF2196AFEBB00DCD016464964C33E6D
                            Malicious:false
                            Preview:........=.=Ry<.........V.Y....[..*..q......Z.5....p.5./hP..h........!..L.!This program cannot be run in DOS mode....$........a..J...J...J....Y..F.......B.......N...Cxf.D....Y..O...J...I...H.....bSXd....3.YB...v.|......F1.3...~.S........@.........;.y..Y..K....Y..K...RichJ...........PE..d.....E^.........." ......................................................................`........-.=..<. .........Y....[..*..q.`*..<.Z....Y.p.5.,h(].h.........r...E..............T.......................(.......................0....!.......................text...p......................=.=..<..r.b....bY..9..[,.*."p......Z.5.....p...N....h(B.......B...p..............@....pdata..............................@..@.tls................................@....rsrc...X........>.......=.=..<. .......8.<......*.Zr......Y.5....p.5./h0..*.......................................................................................................................................=.=..<. .........Y....[..*..q.

                            C:\Program Files\Microsoft Office\Office16\ONBttnIELinkedNotes.dll

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):214122
                            Entropy (8bit):6.713309328192175
                            Encrypted:false
                            SSDEEP:
                            MD5:4B457A6E8CD394C5D84F7F7F6B1AE277
                            SHA1:F0F6A446653BDAB86BE58B5CAD2FF1B26B7977C2
                            SHA-256:A7955FE2472BBD5C1F2D91EEFAD5E64DBCA7621D7ADFB6BE7CE8B39A14E9A398
                            SHA-512:20427DE4B7F3F14D76FFCE50954CD857A59A72A02BF464860700E6600F198D177B8120A48F20C8E06F94ADA11B3C3A94513A2C61FC04B04314BE6C928BAE3229
                            Malicious:false
                            Preview:.C..M..^78..a@...T.2.'.5J..,.L:.cF...}.*nT..B3..H.[..s...:..M........!..L.!This program cannot be run in DOS mode....$........^a..?...?...?..-f...?..k....?..k...?...G...?..:f...?...?...>...._0Rr..`Q2...O..._...(S@.R....vh.b....Lb.@.M......d.n^..A...-f..?..-f...?..Rich.?..........PE..d...z.E^.........." .....l...........Z.......................................@.......|....`...C..M..Z'8.@.@...D.2.'.%J..,.L:.cF...}.oTH.B3.1.H.[..s|..by.M.p..<.......0G...0.......z..T.......................(...P................................................text...|k.......l........S..M..Z78.`.@}..0.F..'O.J....L:.cF..}.*nT..B3..H.[..]...{..M.T.......V..................@....pdata..<....p.......L..............@..@.tls.................f..............@....rsrc...x........S..%..Z78.@.@...T.r.g.G/..O.L..cF...}..nT.1@3..H.[..s...Z.....................................................................................................................................S..M..Z78.@.@...T.2.'.5J..,.L:.cF...}

                            C:\Program Files\Microsoft Office\Office16\ONBttnIELinkedNotes.dll.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):214122
                            Entropy (8bit):6.713309328192175
                            Encrypted:false
                            SSDEEP:
                            MD5:4B457A6E8CD394C5D84F7F7F6B1AE277
                            SHA1:F0F6A446653BDAB86BE58B5CAD2FF1B26B7977C2
                            SHA-256:A7955FE2472BBD5C1F2D91EEFAD5E64DBCA7621D7ADFB6BE7CE8B39A14E9A398
                            SHA-512:20427DE4B7F3F14D76FFCE50954CD857A59A72A02BF464860700E6600F198D177B8120A48F20C8E06F94ADA11B3C3A94513A2C61FC04B04314BE6C928BAE3229
                            Malicious:false
                            Preview:.C..M..^78..a@...T.2.'.5J..,.L:.cF...}.*nT..B3..H.[..s...:..M........!..L.!This program cannot be run in DOS mode....$........^a..?...?...?..-f...?..k....?..k...?...G...?..:f...?...?...>...._0Rr..`Q2...O..._...(S@.R....vh.b....Lb.@.M......d.n^..A...-f..?..-f...?..Rich.?..........PE..d...z.E^.........." .....l...........Z.......................................@.......|....`...C..M..Z'8.@.@...D.2.'.%J..,.L:.cF...}.oTH.B3.1.H.[..s|..by.M.p..<.......0G...0.......z..T.......................(...P................................................text...|k.......l........S..M..Z78.`.@}..0.F..'O.J....L:.cF..}.*nT..B3..H.[..]...{..M.T.......V..................@....pdata..<....p.......L..............@..@.tls.................f..............@....rsrc...x........S..%..Z78.@.@...T.r.g.G/..O.L..cF...}..nT.1@3..H.[..s...Z.....................................................................................................................................S..M..Z78.@.@...T.2.'.5J..,.L:.cF...}

                            C:\Program Files\Microsoft Office\Office16\ONFILTER.DLL

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):3157058
                            Entropy (8bit):7.124737731711196
                            Encrypted:false
                            SSDEEP:
                            MD5:FE6623E6F8619086B7329ADD004DC4D1
                            SHA1:9FED1ACBF4037EE44234B9C1C96074024E0249F9
                            SHA-256:E9577B762F6CE5CA481DD018329C9065D95FD0B1899F2C6B10CA69FF0B6AA319
                            SHA-512:8C7CC2700FC4AFEFF8C615412C46AFE21876980EA3ED95950780A20F38A9BD6553CFB9C67E1D4AA2F831DFC8FD03C01DE2AAEA031B16F292A2D17D1D68ED54B8
                            Malicious:false
                            Preview:..8..V)...q.6.2..U...4.c..#H/"..QO......"Tg!...s..#X.+...H..GZ ........!..L.!This program cannot be run in DOS mode....$.......K....r..r..r..+..r...)..r...(..r...2..r...N..r..+..r...t2H%.....)...........O..-.M].{.z.[.d......,.{o\...V...>.<j4...+..s..+..r..+"..r..+..r.Rich.r.........................PE..d.....D^.........." ...........................................V)...p..a2.`.g...4.de.#K/B..Q_......2Tg!...s..#X.+...H..FZ ........p.'.O.....).......1......00..i..../..G....1.<...PN".8....................N".(.............................'................V)....a2.:.O...4.#\.#H+"..QO......"Tg....]..B,.+.'.G...@ ....................@..@.data....l....)..(....).............@....pdata...i...00..j....-.............@..@.tls..........1......B/....V)...q..a2l..%..F.'..#H....SO..R..."Tg!...s..#..+V.;..FZ ......1......F/.............@..@.reloc..<.....1......L/.............@..B...........................................................V)...q..a2.`.U...4.#..#H/"..QO.....

                            C:\Program Files\Microsoft Office\Office16\ONFILTER.DLL.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):3157058
                            Entropy (8bit):7.124737731711196
                            Encrypted:false
                            SSDEEP:
                            MD5:FE6623E6F8619086B7329ADD004DC4D1
                            SHA1:9FED1ACBF4037EE44234B9C1C96074024E0249F9
                            SHA-256:E9577B762F6CE5CA481DD018329C9065D95FD0B1899F2C6B10CA69FF0B6AA319
                            SHA-512:8C7CC2700FC4AFEFF8C615412C46AFE21876980EA3ED95950780A20F38A9BD6553CFB9C67E1D4AA2F831DFC8FD03C01DE2AAEA031B16F292A2D17D1D68ED54B8
                            Malicious:false
                            Preview:..8..V)...q.6.2..U...4.c..#H/"..QO......"Tg!...s..#X.+...H..GZ ........!..L.!This program cannot be run in DOS mode....$.......K....r..r..r..+..r...)..r...(..r...2..r...N..r..+..r...t2H%.....)...........O..-.M].{.z.[.d......,.{o\...V...>.<j4...+..s..+..r..+"..r..+..r.Rich.r.........................PE..d.....D^.........." ...........................................V)...p..a2.`.g...4.de.#K/B..Q_......2Tg!...s..#X.+...H..FZ ........p.'.O.....).......1......00..i..../..G....1.<...PN".8....................N".(.............................'................V)....a2.:.O...4.#\.#H+"..QO......"Tg....]..B,.+.'.G...@ ....................@..@.data....l....)..(....).............@....pdata...i...00..j....-.............@..@.tls..........1......B/....V)...q..a2l..%..F.'..#H....SO..R..."Tg!...s..#..+V.;..FZ ......1......F/.............@..@.reloc..<.....1......L/.............@..B...........................................................V)...q..a2.`.U...4.#..#H/"..QO.....

                            C:\Program Files\Microsoft Office\Office16\ONLNTCOMLIB.DLL

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):103970
                            Entropy (8bit):6.7852565091111074
                            Encrypted:false
                            SSDEEP:
                            MD5:39021FDA44C36E57D4067703213D676F
                            SHA1:F3D7CC3E6E138F54B56D344F43A7E64D53913ABB
                            SHA-256:68CFB54CBA7D04F804FECA5A00B52FE05625CC93D0B57347580C5C83A9885344
                            SHA-512:406D4B679CA5DEEE997BF7A13AB50EAAA159844B5F986380B4A0C1ECDA1626102CD67B57449177C46E574C95147CAD6C108E1CEF9FFB6281BA30BAB9547D35B2
                            Malicious:false
                            Preview:Z....{g.%...X/..v.OI....X....S.r....R....cd.....GYJI>..i.+Y...........!..L.!This program cannot be run in DOS mode....$..........r..u!..u!..u!...!..u!t.t ..u!t.v ..u!t.q ..u!..p ..u!..q ..u!..R....:.3n=4h..5R.n.B..&..'.Q&:.U.?..a.t#.DA/.%.q2y..K1.u..hz.c.w ..u!Rich..u!........PE..d......U.........." ................................................................C....`...........$..{g.!........f.OI....X....S.....1R..;.bd......FYzb>....+.....z..................T.......................(...@...........................@....................text...H.........................$.3{g{.e.}...l..OI*...(...QS.r....R....cd...D..&-+I>..q.+A........(..............@....pdata.......`.......8..............@..@.tls.........p.......H..............@....rsrc...0+.......,...J....$..{g.!......>.u#&...oZ...YR.r....$....cd.....GY.I>R.i.+A.....................................................................................................................................$..{g.!........v.OI....X....S.r....R..

                            C:\Program Files\Microsoft Office\Office16\ONLNTCOMLIB.DLL.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):103970
                            Entropy (8bit):6.7852565091111074
                            Encrypted:false
                            SSDEEP:
                            MD5:39021FDA44C36E57D4067703213D676F
                            SHA1:F3D7CC3E6E138F54B56D344F43A7E64D53913ABB
                            SHA-256:68CFB54CBA7D04F804FECA5A00B52FE05625CC93D0B57347580C5C83A9885344
                            SHA-512:406D4B679CA5DEEE997BF7A13AB50EAAA159844B5F986380B4A0C1ECDA1626102CD67B57449177C46E574C95147CAD6C108E1CEF9FFB6281BA30BAB9547D35B2
                            Malicious:false
                            Preview:Z....{g.%...X/..v.OI....X....S.r....R....cd.....GYJI>..i.+Y...........!..L.!This program cannot be run in DOS mode....$..........r..u!..u!..u!...!..u!t.t ..u!t.v ..u!t.q ..u!..p ..u!..q ..u!..R....:.3n=4h..5R.n.B..&..'.Q&:.U.?..a.t#.DA/.%.q2y..K1.u..hz.c.w ..u!Rich..u!........PE..d......U.........." ................................................................C....`...........$..{g.!........f.OI....X....S.....1R..;.bd......FYzb>....+.....z..................T.......................(...@...........................@....................text...H.........................$.3{g{.e.}...l..OI*...(...QS.r....R....cd...D..&-+I>..q.+A........(..............@....pdata.......`.......8..............@..@.tls.........p.......H..............@....rsrc...0+.......,...J....$..{g.!......>.u#&...oZ...YR.r....$....cd.....GY.I>R.i.+A.....................................................................................................................................$..{g.!........v.OI....X....S.r....R..

                            C:\Program Files\Microsoft Office\Office16\VISSHE.DLL

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):947186
                            Entropy (8bit):5.627150366365194
                            Encrypted:false
                            SSDEEP:
                            MD5:B1C25094ED7F4DB661DF5AE40E5949A8
                            SHA1:18BD46FCBCC454CA1144E3F73529C4E04AA28F03
                            SHA-256:DCAB51FDBE1BB18441912B285E4EE629060CF71DDBBF55CD3256A071CC185B48
                            SHA-512:E4F9E4FAE980C53A481633F12757EA4E71E8ED12DA176765D7B2A6F49915C5249BEC86B6B014E93C052208E96674916E120F4841A5088087EB4467FAC8D45456
                            Malicious:false
                            Preview:....f.NtF.IO@L..z..1..$.\.).........;.R...SBI..u..a.c.n...:...........!..L.!This program cannot be run in DOS mode....$.......C#...B...B...B...a..B...z..B...:...B.......B...B..B.......B.....x.......w..#a4.(.nG^...W..H/.y.....7B..vWn.3gN....0$I>).....B..Rich.B..........PE..d......U.........." .....2...2.....................................................L.....`.........A.t.e.NtB.YO.......1..$I\.).....=..q;.R.a..WCI..%...;i.n...j....X..........H'...>..T...................(c..(....b...............P......t........................text....0.......2..............A.t.E.N.l.-......O..1..$I..).........;.R....BI..|...c.F...".......................@....pdata..H.... ......................@..@.tls.........@......................@....rsrc....7...P...8......A.t.e.NtB.IO.......^..$.{.).E.........R...SBI..u..!.cQn..."...................................................................................................................................A.t.e.NtB.IO.......1..$I\.).........;.R

                            C:\Program Files\Microsoft Office\Office16\VISSHE.DLL.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):947186
                            Entropy (8bit):5.627150366365194
                            Encrypted:false
                            SSDEEP:
                            MD5:B1C25094ED7F4DB661DF5AE40E5949A8
                            SHA1:18BD46FCBCC454CA1144E3F73529C4E04AA28F03
                            SHA-256:DCAB51FDBE1BB18441912B285E4EE629060CF71DDBBF55CD3256A071CC185B48
                            SHA-512:E4F9E4FAE980C53A481633F12757EA4E71E8ED12DA176765D7B2A6F49915C5249BEC86B6B014E93C052208E96674916E120F4841A5088087EB4467FAC8D45456
                            Malicious:false
                            Preview:....f.NtF.IO@L..z..1..$.\.).........;.R...SBI..u..a.c.n...:...........!..L.!This program cannot be run in DOS mode....$.......C#...B...B...B...a..B...z..B...:...B.......B...B..B.......B.....x.......w..#a4.(.nG^...W..H/.y.....7B..vWn.3gN....0$I>).....B..Rich.B..........PE..d......U.........." .....2...2.....................................................L.....`.........A.t.e.NtB.YO.......1..$I\.).....=..q;.R.a..WCI..%...;i.n...j....X..........H'...>..T...................(c..(....b...............P......t........................text....0.......2..............A.t.E.N.l.-......O..1..$I..).........;.R....BI..|...c.F...".......................@....pdata..H.... ......................@..@.tls.........@......................@....rsrc....7...P...8......A.t.e.NtB.IO.......^..$.{.).E.........R...SBI..u..!.cQn..."...................................................................................................................................A.t.e.NtB.IO.......1..$I\.).........;.R

                            C:\Program Files\Microsoft Office\Office16\VisioCustom.propdesc

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1470
                            Entropy (8bit):7.661416354718824
                            Encrypted:false
                            SSDEEP:
                            MD5:DB87B524112A7A71AE0659F654E9D337
                            SHA1:40AE4B766749BB01A418F820835A255C89A5CD79
                            SHA-256:0471C682CDC029C6ED0632AB9FC75E7ACE916287069D5291C8B1AA9DDDCF4C24
                            SHA-512:452C6CF856523AB33D0D9C4515403364842C91FC9DD8A24101488165B63851856FCE404EC02EC25D73E5BA6ECD5CDE63A42333B64022EEA3A29049C315E29041
                            Malicious:false
                            Preview:+r.%&....)......2...h.....Z.Jz......Ma..`.,-..U..4......-O.8........;...L.r@........_..rE.......0..}.dm..V..h.T..D.r..8..x|....*...F.o@.........T..o.......Ma.$.(....+..u....^.Y..t?.8>....3..O..pJ.........X..d........7.B.ek.../.i..r....=,.cm. /....z...Z..sQ........X..p.....Xr. .'2.....P7.R....u..D.t:...(...Z.nJ.........V.#FB.......2t.#.'1.....I>.>..../=.T|.~}...z...O.!.........^..m.......,..u.bg..G..h.......v..q.-+...4...V..rU...........p.........6..).bp.............,O.#}.jj..S..S..yO...........'c.........4..p.6*..W.M%....O.|..{p..+..z.5..............N..?].....P*..x.rg..W..S...._.o..59.=/........^..y.........B..{.......&..;.........h....S.x..e$.<#..P..6..nL........^..k...........6.W6...`.V*.J.....K.:t..........y..+............H".......1..{.b,..K.JJ....X.Y..v$.;h...S..Z..K.........R..g.......1..6..q..W..:....O.=..o..2/..h...."..l.....~..m_.....="..q.e"..U..c.[..O.h..5m.!.....?...Y..oF..[.....C..g6.....

                            C:\Program Files\Microsoft Office\Office16\VisioCustom.propdesc.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1470
                            Entropy (8bit):7.661416354718824
                            Encrypted:false
                            SSDEEP:
                            MD5:DB87B524112A7A71AE0659F654E9D337
                            SHA1:40AE4B766749BB01A418F820835A255C89A5CD79
                            SHA-256:0471C682CDC029C6ED0632AB9FC75E7ACE916287069D5291C8B1AA9DDDCF4C24
                            SHA-512:452C6CF856523AB33D0D9C4515403364842C91FC9DD8A24101488165B63851856FCE404EC02EC25D73E5BA6ECD5CDE63A42333B64022EEA3A29049C315E29041
                            Malicious:false
                            Preview:+r.%&....)......2...h.....Z.Jz......Ma..`.,-..U..4......-O.8........;...L.r@........_..rE.......0..}.dm..V..h.T..D.r..8..x|....*...F.o@.........T..o.......Ma.$.(....+..u....^.Y..t?.8>....3..O..pJ.........X..d........7.B.ek.../.i..r....=,.cm. /....z...Z..sQ........X..p.....Xr. .'2.....P7.R....u..D.t:...(...Z.nJ.........V.#FB.......2t.#.'1.....I>.>..../=.T|.~}...z...O.!.........^..m.......,..u.bg..G..h.......v..q.-+...4...V..rU...........p.........6..).bp.............,O.#}.jj..S..S..yO...........'c.........4..p.6*..W.M%....O.|..{p..+..z.5..............N..?].....P*..x.rg..W..S...._.o..59.=/........^..y.........B..{.......&..;.........h....S.x..e$.<#..P..6..nL........^..k...........6.W6...`.V*.J.....K.:t..........y..+............H".......1..{.b,..K.JJ....X.Y..v$.;h...S..Z..K.........R..g.......1..6..q..W..:....O.=..o..2/..h...."..l.....~..m_.....="..q.e"..U..c.[..O.h..5m.!.....?...Y..oF..[.....C..g6.....

                            C:\Program Files\Microsoft Office\Office16\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\Microsoft Office\Office16\msoia.exe

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):416746
                            Entropy (8bit):7.020209472790946
                            Encrypted:false
                            SSDEEP:
                            MD5:B2E5C6D6C575D3DF86F3AF6147ABC68C
                            SHA1:AE5D4CFF6AF06562D78C027BD54E8E57100274D5
                            SHA-256:B3A4C6AF30EFC5060143A6506F1E54345F57FEC7C64241520EA5F020680F771F
                            SHA-512:AA60B4BF3395620CEA54C4246A6A1D8808D721159EC272F4F4E4DC1A2B0BA3436DDDF24E345B633F0E53B9CB14736DC8D5E810546B2F724111E9EB48D7B1FAAE
                            Malicious:false
                            Preview:...EHeI@..'..+..G.n/}"..Z.R..K\......,....f....*....%0..o.){.@.........!..L.!This program cannot be run in DOS mode....$.......Ok.....A...A...A.S.@...A..jA...A..qA...A.r.A...A.S.@...A.S.@...A....^o..[]..;.2S...ot(vH1...A.........ja.'..;.!.l.....n<Di0....S.@...A.SaA...A.S.@...ARich...A................PE..d...L..U..........".................@+.........@.............................\.EKaI@9.!.9....~/}"....R..K\......,....f....*....%0.S).)..@..L..,....`..h........E...@.......p..T...`...T...................(A..(.......................P....G..`....................text...,R.EKuI@..$.;....n/}"....R.1K\.......,....f.I..*....3..o.)K.@.....@..@.data...X ..........................@....pdata...E.......F..................@..@.tls.........P......................@....k7(eI@..'.;.....n/}.....R..K\.....,.9...~...~....U6..u.)K)F.............@..B...................................................................................................................EKeI@..'.;....n/}"....R..K\......,.

                            C:\Program Files\Microsoft Office\Office16\msoia.exe.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):416746
                            Entropy (8bit):7.020209472790946
                            Encrypted:false
                            SSDEEP:
                            MD5:B2E5C6D6C575D3DF86F3AF6147ABC68C
                            SHA1:AE5D4CFF6AF06562D78C027BD54E8E57100274D5
                            SHA-256:B3A4C6AF30EFC5060143A6506F1E54345F57FEC7C64241520EA5F020680F771F
                            SHA-512:AA60B4BF3395620CEA54C4246A6A1D8808D721159EC272F4F4E4DC1A2B0BA3436DDDF24E345B633F0E53B9CB14736DC8D5E810546B2F724111E9EB48D7B1FAAE
                            Malicious:false
                            Preview:...EHeI@..'..+..G.n/}"..Z.R..K\......,....f....*....%0..o.){.@.........!..L.!This program cannot be run in DOS mode....$.......Ok.....A...A...A.S.@...A..jA...A..qA...A.r.A...A.S.@...A.S.@...A....^o..[]..;.2S...ot(vH1...A.........ja.'..;.!.l.....n<Di0....S.@...A.SaA...A.S.@...ARich...A................PE..d...L..U..........".................@+.........@.............................\.EKaI@9.!.9....~/}"....R..K\......,....f....*....%0.S).)..@..L..,....`..h........E...@.......p..T...`...T...................(A..(.......................P....G..`....................text...,R.EKuI@..$.;....n/}"....R.1K\.......,....f.I..*....3..o.)K.@.....@..@.data...X ..........................@....pdata...E.......F..................@..@.tls.........P......................@....k7(eI@..'.;.....n/}.....R..K\.....,.9...~...~....U6..u.)K)F.............@..B...................................................................................................................EKeI@..'.;....n/}"....R..K\......,.

                            C:\Program Files\Microsoft Office\Office16\msoianetutil.dll

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):23074
                            Entropy (8bit):6.882346327408194
                            Encrypted:false
                            SSDEEP:
                            MD5:0FA0817BBB49B911D657C70EA4982514
                            SHA1:5508E3761D8EFD04AD61424698EF0FD2E7A4655A
                            SHA-256:0C7A55D81EA925EAD78F0CD4E3031D280872FC67625CD81173DA4F8688CD8D4D
                            SHA-512:0FFEDBEE250DF0A7856F798FB0BE7DD1975D2EAC7BF9F28E5801AF213BAB332F6ED367450DE871B644BA6C183D0F1BBB9AA14E4A21FAF6CCA432347D0A8DAEE3
                            Malicious:false
                            Preview:....N..2....T#..{5hr.M$k......6.hul...{..".0...w...e..>.8.z..A........!..L.!This program cannot be run in DOS mode....$........m.....S...S...S.t.S...S`U.R...S`U.R...S`U.R...S`U.R...S.U.R...S...N.9a.R...w.;..5..>..s.W.A..'......qi<..." ..i5.l.[...1.........PE..d...N..U.........." .........$......l...............................................L.....`.........................H]F.M..2...p.#..N5h$.M.\.....6.hu...{..".2...I..l...>.8.^..A.)..T............................2...............0..`...H6..`....................text...D........................... ..`.rdata...CF.M..2...`.#..{5hr.Mdk...............".p...u...U..>.8.r..A....@....pdata..4....P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......<..............@..BHMF.M..2...`.#..{5hr.Mdk......6.hul...{..".0...w...e..>.8.r..A................................................................................................................................HMF.M..2...`.#..{5hr.Mdk......6.hul...

                            C:\Program Files\Microsoft Office\Office16\msoianetutil.dll.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):23074
                            Entropy (8bit):6.882346327408194
                            Encrypted:false
                            SSDEEP:
                            MD5:0FA0817BBB49B911D657C70EA4982514
                            SHA1:5508E3761D8EFD04AD61424698EF0FD2E7A4655A
                            SHA-256:0C7A55D81EA925EAD78F0CD4E3031D280872FC67625CD81173DA4F8688CD8D4D
                            SHA-512:0FFEDBEE250DF0A7856F798FB0BE7DD1975D2EAC7BF9F28E5801AF213BAB332F6ED367450DE871B644BA6C183D0F1BBB9AA14E4A21FAF6CCA432347D0A8DAEE3
                            Malicious:false
                            Preview:....N..2....T#..{5hr.M$k......6.hul...{..".0...w...e..>.8.z..A........!..L.!This program cannot be run in DOS mode....$........m.....S...S...S.t.S...S`U.R...S`U.R...S`U.R...S`U.R...S.U.R...S...N.9a.R...w.;..5..>..s.W.A..'......qi<..." ..i5.l.[...1.........PE..d...N..U.........." .........$......l...............................................L.....`.........................H]F.M..2...p.#..N5h$.M.\.....6.hu...{..".2...I..l...>.8.^..A.)..T............................2...............0..`...H6..`....................text...D........................... ..`.rdata...CF.M..2...`.#..{5hr.Mdk...............".p...u...U..>.8.r..A....@....pdata..4....P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......<..............@..BHMF.M..2...`.#..{5hr.Mdk......6.hul...{..".0...w...e..>.8.r..A................................................................................................................................HMF.M..2...`.#..{5hr.Mdk......6.hul...

                            C:\Program Files\Microsoft Office\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:true
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\Reference Assemblies\Microsoft\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\Reference Assemblies\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:true
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\UNP\Logs\UpdateNotificationPipeline.001.etl

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):131386
                            Entropy (8bit):3.2071656578747376
                            Encrypted:false
                            SSDEEP:
                            MD5:336EACEAD6581AD0FA3E70FCC86746C1
                            SHA1:3068F2205CAE571A18B9A721A88DEC422FD18287
                            SHA-256:4334BC3509129E944D07BE793338719196B98BE770D4B9CE09F47F9CF85F0C13
                            SHA-512:F19DF5908D2D6E9FA732A7CCB7E342206F16940285C1A546DF377C7D97FD6608BC3D6FC8A82E347AF5806C39F7535A34D5364F9E695F9A2DBE15E8B8C5EA0E88
                            Malicious:false
                            Preview:'b....-.,.O#u..?.Z...........d.......-.S.q).k.....<#.....................t...d...K39<.....................B.............Zb.......`..........................................@.t.z.r.e.s..b..m.......}#D..?.Z...........d.......-.S.q..k.....<#.............@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................D.s..3.... ......%.............jb..b....._. #...?.Z..}.........|d,.......-.S.q........Z#......t.i.o.n.P.i.p.e.l.i.n.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.U.N.P.\.L.o.g.s.\.U.p.d.a.t.e.N.o.t.i.f.i.c.a.t.i.o.n.P.i.p.e.l.i.n.Bb..1......*#...?.Z.......S...{o.........S.q..k.....<#......................................................................................................................................5..}.Wz....r..x.....B..l.#}O...wg,f0L5.E.;.~/.Ir.`y.....&B..................................................................................................................................5..}.Wz....r..x.....B..l.#}O...wg,f

                            C:\Program Files\UNP\Logs\UpdateNotificationPipeline.001.etl.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):131386
                            Entropy (8bit):3.2071656578747376
                            Encrypted:false
                            SSDEEP:
                            MD5:336EACEAD6581AD0FA3E70FCC86746C1
                            SHA1:3068F2205CAE571A18B9A721A88DEC422FD18287
                            SHA-256:4334BC3509129E944D07BE793338719196B98BE770D4B9CE09F47F9CF85F0C13
                            SHA-512:F19DF5908D2D6E9FA732A7CCB7E342206F16940285C1A546DF377C7D97FD6608BC3D6FC8A82E347AF5806C39F7535A34D5364F9E695F9A2DBE15E8B8C5EA0E88
                            Malicious:false
                            Preview:'b....-.,.O#u..?.Z...........d.......-.S.q).k.....<#.....................t...d...K39<.....................B.............Zb.......`..........................................@.t.z.r.e.s..b..m.......}#D..?.Z...........d.......-.S.q..k.....<#.............@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................D.s..3.... ......%.............jb..b....._. #...?.Z..}.........|d,.......-.S.q........Z#......t.i.o.n.P.i.p.e.l.i.n.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.U.N.P.\.L.o.g.s.\.U.p.d.a.t.e.N.o.t.i.f.i.c.a.t.i.o.n.P.i.p.e.l.i.n.Bb..1......*#...?.Z.......S...{o.........S.q..k.....<#......................................................................................................................................5..}.Wz....r..x.....B..l.#}O...wg,f0L5.E.;.~/.Ir.`y.....&B..................................................................................................................................5..}.Wz....r..x.....B..l.#}O...wg,f

                            C:\Program Files\UNP\Logs\UpdateNotificationPipeline.002.etl

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):131386
                            Entropy (8bit):3.1945904643701994
                            Encrypted:false
                            SSDEEP:
                            MD5:1140811A039D4B7D652A58B5E5E764B5
                            SHA1:B34C45D0502B216F5CC68D2D11C490EC36AC924C
                            SHA-256:904D4AFA098041867CBA55B9057447C13002AE824194C3512AF9378C87D19DEA
                            SHA-512:85BEFC3AE7C579182CC19EFABB25E9A2D82AF6D5491F899671489D885E01D741B5C2065F5F53BC99207D0D05CEBD4E13C07DD7472E3BB4F379A75D87E48AE09A
                            Malicious:false
                            Preview:xD2........x.O.s.2E...........}H....|Q.Fgf).R..d....d...4.%....................................................B......P.[=.3..Zb.......`..........................................@.t.z.r.e.s.VDW...../..J.~.A.2E...........}H....|Q.F~f*.R.|f....k...5.'...........@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................D.s..3.... ......X.=.3..........5DZ.....l.....)....EX.....p....};.....Q.F.f^.7.2f.....w.].F...t.i.o.n.P.i.p.e.l.i.n.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.U.N.P.\.L.o.g.s.\.U.p.d.a.t.e.N.o.t.i.f.i.c.a.t.i.o.n.P.i.p.e.l.i.n..D..E...2....;...2E...........}@..{.|QZ\.~*.R.}f....`...4.%............................................................................................................................................Q.^.:...q..B.....>Q.|..5AM4...l......*..o4...m......>Z.........................................................................................................................................Q.^.:...q..B.....>Q.|..5AM4...

                            C:\Program Files\UNP\Logs\UpdateNotificationPipeline.002.etl.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):131386
                            Entropy (8bit):3.1945904643701994
                            Encrypted:false
                            SSDEEP:
                            MD5:1140811A039D4B7D652A58B5E5E764B5
                            SHA1:B34C45D0502B216F5CC68D2D11C490EC36AC924C
                            SHA-256:904D4AFA098041867CBA55B9057447C13002AE824194C3512AF9378C87D19DEA
                            SHA-512:85BEFC3AE7C579182CC19EFABB25E9A2D82AF6D5491F899671489D885E01D741B5C2065F5F53BC99207D0D05CEBD4E13C07DD7472E3BB4F379A75D87E48AE09A
                            Malicious:false
                            Preview:xD2........x.O.s.2E...........}H....|Q.Fgf).R..d....d...4.%....................................................B......P.[=.3..Zb.......`..........................................@.t.z.r.e.s.VDW...../..J.~.A.2E...........}H....|Q.F~f*.R.|f....k...5.'...........@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................D.s..3.... ......X.=.3..........5DZ.....l.....)....EX.....p....};.....Q.F.f^.7.2f.....w.].F...t.i.o.n.P.i.p.e.l.i.n.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.U.N.P.\.L.o.g.s.\.U.p.d.a.t.e.N.o.t.i.f.i.c.a.t.i.o.n.P.i.p.e.l.i.n..D..E...2....;...2E...........}@..{.|QZ\.~*.R.}f....`...4.%............................................................................................................................................Q.^.:...q..B.....>Q.|..5AM4...l......*..o4...m......>Z.........................................................................................................................................Q.^.:...q..B.....>Q.|..5AM4...

                            C:\Program Files\UNP\Logs\UpdateNotificationPipeline.003.etl

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):131386
                            Entropy (8bit):3.2211048477544835
                            Encrypted:false
                            SSDEEP:
                            MD5:674D9D7B66081946FD6C59C6C92F6A62
                            SHA1:948BEE2F9BF044FD05709724C882A5E65ECAED54
                            SHA-256:85BF0D910AA7A79AA05E90E576A0F45FCF1185145739C47AA8A1B7D606E1FD66
                            SHA-512:A0AF3AC85FD520FF076B232ADEC734009EFCFDD379918ED49FCC94055872BA80EBA8124086739170E0E6BD346886602B3FBC140534F3D0423F64B026CD554D47
                            Malicious:false
                            Preview:.1kU.[.c...[...m.3Cy(4..3t.03..%#...+B../......]...z...`#.bR..................l...\...2.W(.....................B........wZ....Zb.......`..........................................@.t.z.r.e.s..1.U.Y{c_.9[<..m.3Cy(4..3t.03..%#...+B../.....z_..,z...`".`R..........@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................U........ .......Y.............1.U.Yec..g[a.m.3my.4..]ti0\..%P...~B..K.......4_..Xz..d`J..R.t.i.o.n.P.i.p.e.l.i.n.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.U.N.P.\.L.o.g.s.\.U.p.d.a.t.e.N.o.t.i.f.i.c.a.t.i.o.n.P.i.p.e.l.i.n..1DUSY'cB.:[k.m.3Cy(4..1t..c..%O...wS.........z_..,z...`#.bR..................................................................................................................................v.....>..*.................i9.....K.k.{3S..Z..x....9..NZ................................................................................................................................v.....>..*.................i9....

                            C:\Program Files\UNP\Logs\UpdateNotificationPipeline.003.etl.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):131386
                            Entropy (8bit):3.2211048477544835
                            Encrypted:false
                            SSDEEP:
                            MD5:674D9D7B66081946FD6C59C6C92F6A62
                            SHA1:948BEE2F9BF044FD05709724C882A5E65ECAED54
                            SHA-256:85BF0D910AA7A79AA05E90E576A0F45FCF1185145739C47AA8A1B7D606E1FD66
                            SHA-512:A0AF3AC85FD520FF076B232ADEC734009EFCFDD379918ED49FCC94055872BA80EBA8124086739170E0E6BD346886602B3FBC140534F3D0423F64B026CD554D47
                            Malicious:false
                            Preview:.1kU.[.c...[...m.3Cy(4..3t.03..%#...+B../......]...z...`#.bR..................l...\...2.W(.....................B........wZ....Zb.......`..........................................@.t.z.r.e.s..1.U.Y{c_.9[<..m.3Cy(4..3t.03..%#...+B../.....z_..,z...`".`R..........@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................U........ .......Y.............1.U.Yec..g[a.m.3my.4..]ti0\..%P...~B..K.......4_..Xz..d`J..R.t.i.o.n.P.i.p.e.l.i.n.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.U.N.P.\.L.o.g.s.\.U.p.d.a.t.e.N.o.t.i.f.i.c.a.t.i.o.n.P.i.p.e.l.i.n..1DUSY'cB.:[k.m.3Cy(4..1t..c..%O...wS.........z_..,z...`#.bR..................................................................................................................................v.....>..*.................i9.....K.k.{3S..Z..x....9..NZ................................................................................................................................v.....>..*.................i9....

                            C:\Program Files\UNP\Logs\UpdateNotificationPipeline.004.etl

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):131386
                            Entropy (8bit):3.2020317324449836
                            Encrypted:false
                            SSDEEP:
                            MD5:BFADBB251942DDCFC8C926C43E1E2732
                            SHA1:4BA407941CA93235248314461F502E6901E2E95C
                            SHA-256:027AD640FFBBDB2594F509068BC0CB2C193561E1B004B9C2D46FC19BBDB42AE3
                            SHA-512:8A084745478957E791D0AC11C736298D3419503B44867D4E78C187DFB2D3C4A6EFABFB519BB580831008F8E1B785EF0CE0547DF95234D5302FE84407B5386D25
                            Malicious:false
                            Preview:Ab..].Av@/....|.....j......."&#...&..w..T..@...<k....X:.Ze...........................{........................B......NH~.9...Zb.......`..........................................@.t.z.r.e.s.ob...-v.-....M.....j......."&#...&..w..T..@...<k....X:.Zg...........@.t.z.r.e.s...d.l.l.,.-.2.1.1..............................................................8..... .........9............b...3v.-........Aj....z...U&P...&...Tu.%.1.Sk....>:.Z....t.i.o.n.P.i.p.e.l.i.n.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.U.N.P.\.L.o.g.s.\.U.p.d.a.t.e.N.o.t.i.f.i.c.a.t.i.o.n.P.i.p.e.l.i.n.$b...qv.-.........j........r&...I)....WL..@...<k....X:.Ze.....................................................................................................................................@i.N....v@.....%"Y...6..0O7.....l..bo..$..)...+...%...U...l...................................................................................................................................@i.N....v@.....%"Y...6..0O7.....l..bo

                            C:\Program Files\UNP\Logs\UpdateNotificationPipeline.004.etl.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):131386
                            Entropy (8bit):3.2020317324449836
                            Encrypted:false
                            SSDEEP:
                            MD5:BFADBB251942DDCFC8C926C43E1E2732
                            SHA1:4BA407941CA93235248314461F502E6901E2E95C
                            SHA-256:027AD640FFBBDB2594F509068BC0CB2C193561E1B004B9C2D46FC19BBDB42AE3
                            SHA-512:8A084745478957E791D0AC11C736298D3419503B44867D4E78C187DFB2D3C4A6EFABFB519BB580831008F8E1B785EF0CE0547DF95234D5302FE84407B5386D25
                            Malicious:false
                            Preview:Ab..].Av@/....|.....j......."&#...&..w..T..@...<k....X:.Ze...........................{........................B......NH~.9...Zb.......`..........................................@.t.z.r.e.s.ob...-v.-....M.....j......."&#...&..w..T..@...<k....X:.Zg...........@.t.z.r.e.s...d.l.l.,.-.2.1.1..............................................................8..... .........9............b...3v.-........Aj....z...U&P...&...Tu.%.1.Sk....>:.Z....t.i.o.n.P.i.p.e.l.i.n.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.U.N.P.\.L.o.g.s.\.U.p.d.a.t.e.N.o.t.i.f.i.c.a.t.i.o.n.P.i.p.e.l.i.n.$b...qv.-.........j........r&...I)....WL..@...<k....X:.Ze.....................................................................................................................................@i.N....v@.....%"Y...6..0O7.....l..bo..$..)...+...%...U...l...................................................................................................................................@i.N....v@.....%"Y...6..0O7.....l..bo

                            C:\Program Files\UNP\Logs\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\UNP\UpdateNotificationMgr\.UpdateNotificationMgr_LockFile

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):314
                            Entropy (8bit):5.806738797243858
                            Encrypted:false
                            SSDEEP:
                            MD5:0E09A7C300F4272B1DA8A7DE8FF20987
                            SHA1:B2378A9CA2C8307D85AED3F7632D32F991819FD7
                            SHA-256:976CCE74964F48C4436E2C7A4E5FCA8651D6DEE96CB6FDA72121BA3F84BCBCFB
                            SHA-512:4642A38F6E605EEFD088267B8532C53D1678963242EFA6087B1666A748786772DAA1A3DD46D3C57C6EB695032FC70047F6C486752011B168DD62FFD9E6ECF2C3
                            Malicious:false
                            Preview:..[....c9.X.2..t......l..:8...;`...@...:b.p=....8>w..c...".{e.... o...?.p.Zr./.K.......V6JZ.S..^A#.u.|Y..G.2.:.3.1.1...$.~.IG...G..{\.fm\....x......G..m..KR..8p....c......r..+..L')......E.R."|..c(.............................................................................................vux2f891j9j.

                            C:\Program Files\UNP\UpdateNotificationMgr\.UpdateNotificationMgr_LockFile.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):314
                            Entropy (8bit):5.806738797243858
                            Encrypted:false
                            SSDEEP:
                            MD5:0E09A7C300F4272B1DA8A7DE8FF20987
                            SHA1:B2378A9CA2C8307D85AED3F7632D32F991819FD7
                            SHA-256:976CCE74964F48C4436E2C7A4E5FCA8651D6DEE96CB6FDA72121BA3F84BCBCFB
                            SHA-512:4642A38F6E605EEFD088267B8532C53D1678963242EFA6087B1666A748786772DAA1A3DD46D3C57C6EB695032FC70047F6C486752011B168DD62FFD9E6ECF2C3
                            Malicious:false
                            Preview:..[....c9.X.2..t......l..:8...;`...@...:b.p=....8>w..c...".{e.... o...?.p.Zr./.K.......V6JZ.S..^A#.u.|Y..G.2.:.3.1.1...$.~.IG...G..{\.fm\....x......G..m..KR..8p....c......r..+..L')......E.R."|..c(.............................................................................................vux2f891j9j.

                            C:\Program Files\UNP\UpdateNotificationMgr\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\UNP\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\Uninstall Information\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\Windows Defender Advanced Threat Protection\en-US\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:true
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\Windows Defender Advanced Threat Protection\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\Windows Defender\Offline\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:true
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\Windows Defender\en-US\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\Windows Defender\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\Windows Mail\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\Windows Media Player\Media Renderer\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\Windows Media Player\Network Sharing\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\Windows Media Player\Skins\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\Windows Media Player\Visualizations\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\Windows Media Player\en-US\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:true
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\Windows Media Player\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\Windows Multimedia Platform\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\Windows Photo Viewer\en-US\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\Windows Photo Viewer\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\Windows Portable Devices\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\Windows Security\BrowserCore\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\Windows Security\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\WindowsPowerShell\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\internet explorer\SIGNUP\install.ins

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:COM executable for DOS
                            Category:dropped
                            Size (bytes):766
                            Entropy (8bit):6.911237218629068
                            Encrypted:false
                            SSDEEP:
                            MD5:8FB5335CB8930B59682A0980ABF9678D
                            SHA1:9C3E04B834F6F1BF3EBB07A1BC599DAB817B3AFB
                            SHA-256:463C8828E431BE6DBC79BE64043B15971218C4375E6C43014045B71F2F26EB43
                            SHA-512:627BDB31D9FDC55A7325B5BA6D4928C96375AD5AACC203D05A5C6F27EA73338D0FC124DDB474C6311933238B5F363072A5E7C07367ECA0F49024CEAE57DC2BBB
                            Malicious:false
                            Preview:.#./....\&z......lp.g..V.51..).!...y.!Lv.=....([..c...s.w.!./....R&f......lY...V...5V..).!...y6!Iv.....4(A..c...=.).v../....&%........l..[..V...59..).!...y*!.v..i...v(...c...1.+.s../...7&W.....l@.5.V..5a..).!...y.!~v.U....(^..c...l.%.v../....x& ......lN...V..5...).!.yI!'v.4...2(T..c...=.*.J../....t&P......l..[.V.5j..).!.y}!.v..i...v(...c..0.5.w../.....&$........lo.(.V...5...).!...yt! v.......(^..c...=.).........&.g.f.."o..h}|G.....b.=./)Z|.......2......p....G.$.....T......g.y.....u.........E..............N.z..:L.U....x.?;!.!4O..D....K.&j(h._.g.....Y@.7.....d4R...p_.4......`zD....8T!O....u.......jBow'.g..%.............................................................................................vux2f891j9j.

                            C:\Program Files\internet explorer\SIGNUP\install.ins.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:COM executable for DOS
                            Category:dropped
                            Size (bytes):766
                            Entropy (8bit):6.911237218629068
                            Encrypted:false
                            SSDEEP:
                            MD5:8FB5335CB8930B59682A0980ABF9678D
                            SHA1:9C3E04B834F6F1BF3EBB07A1BC599DAB817B3AFB
                            SHA-256:463C8828E431BE6DBC79BE64043B15971218C4375E6C43014045B71F2F26EB43
                            SHA-512:627BDB31D9FDC55A7325B5BA6D4928C96375AD5AACC203D05A5C6F27EA73338D0FC124DDB474C6311933238B5F363072A5E7C07367ECA0F49024CEAE57DC2BBB
                            Malicious:false
                            Preview:.#./....\&z......lp.g..V.51..).!...y.!Lv.=....([..c...s.w.!./....R&f......lY...V...5V..).!...y6!Iv.....4(A..c...=.).v../....&%........l..[..V...59..).!...y*!.v..i...v(...c...1.+.s../...7&W.....l@.5.V..5a..).!...y.!~v.U....(^..c...l.%.v../....x& ......lN...V..5...).!.yI!'v.4...2(T..c...=.*.J../....t&P......l..[.V.5j..).!.y}!.v..i...v(...c..0.5.w../.....&$........lo.(.V...5...).!...yt! v.......(^..c...=.).........&.g.f.."o..h}|G.....b.=./)Z|.......2......p....G.$.....T......g.y.....u.........E..............N.z..:L.U....x.?;!.!4O..D....K.&j(h._.g.....Y@.7.....d4R...p_.4......`zD....8T!O....u.......jBow'.g..%.............................................................................................vux2f891j9j.

                            C:\Program Files\internet explorer\SIGNUP\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\internet explorer\en-US\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\internet explorer\images\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\internet explorer\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:true
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\windows nt\accessories\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\windows nt\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Program Files\windows nt\tabletextservice\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\ProgramData\Adobe\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\ProgramData\Microsoft Help\MS.DATABASECOMPARE.16.1033.hxn

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):732
                            Entropy (8bit):6.849545280801644
                            Encrypted:false
                            SSDEEP:
                            MD5:0ACFE612581EF43231C45DCE8413D217
                            SHA1:4148BFB1658A680E832D6C5E58422380849954EE
                            SHA-256:33372544E9E681EAA1BB829271C9018D6CA4D4D8E3B7AA73989D76EE172C4DB3
                            SHA-512:417AC6161D19FC00D1F611A36D10E77CC68EFE185DE49EA448A625A2FA994E25A4971F4D1C6F62B0C3C50665212AFBC4C0148C283C495280FFDEE70DF3704B73
                            Malicious:false
                            Preview:).....w.=..&.elj..^...W..M.wV'./X@...G.T.s....C.`.=..W...#.N`.KL...}...\..&.e/jp.3...6.M.w<'./t@..nG.T.s..!.m.O....W....j.#`.KL...y.Y.u..&.elj..^.i.^..M.w.'./.@.HG.T.s.U...-...W...u.N`.K....L...R..&.e.jr.~./.>.M.wa'./$@..pG.T.s....e.N....W..c.:`.Kb...z...^..&.e#jy.8...4.M.w$'./H@...G.T.s....|.-...W....w.!`.K_...q.W.{..&.e.jl.~.A./..M.w;'./A@..+G.T.s..:.j.Y.M..W....l.-`.K\.O.f.f.i.c.e.1.6.\.D.C.F.\.e.n.\.....q.t.(.k.....<<.\.g.{...L..*..I.....Q...vw0@..Vn.S.9..Q...../....{W.....@.TkZ}M..eJ.|..`K..C.n...(U.;..Z..l.5-.25+./....~.r)..J....T.T..h....7.../.Y.....7..I.M....Sl. .>.Lqe...../.Po....Iz..................................................................................................vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.DATABASECOMPARE.16.1033.hxn.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):732
                            Entropy (8bit):6.849545280801644
                            Encrypted:false
                            SSDEEP:
                            MD5:0ACFE612581EF43231C45DCE8413D217
                            SHA1:4148BFB1658A680E832D6C5E58422380849954EE
                            SHA-256:33372544E9E681EAA1BB829271C9018D6CA4D4D8E3B7AA73989D76EE172C4DB3
                            SHA-512:417AC6161D19FC00D1F611A36D10E77CC68EFE185DE49EA448A625A2FA994E25A4971F4D1C6F62B0C3C50665212AFBC4C0148C283C495280FFDEE70DF3704B73
                            Malicious:false
                            Preview:).....w.=..&.elj..^...W..M.wV'./X@...G.T.s....C.`.=..W...#.N`.KL...}...\..&.e/jp.3...6.M.w<'./t@..nG.T.s..!.m.O....W....j.#`.KL...y.Y.u..&.elj..^.i.^..M.w.'./.@.HG.T.s.U...-...W...u.N`.K....L...R..&.e.jr.~./.>.M.wa'./$@..pG.T.s....e.N....W..c.:`.Kb...z...^..&.e#jy.8...4.M.w$'./H@...G.T.s....|.-...W....w.!`.K_...q.W.{..&.e.jl.~.A./..M.w;'./A@..+G.T.s..:.j.Y.M..W....l.-`.K\.O.f.f.i.c.e.1.6.\.D.C.F.\.e.n.\.....q.t.(.k.....<<.\.g.{...L..*..I.....Q...vw0@..Vn.S.9..Q...../....{W.....@.TkZ}M..eJ.|..`K..C.n...(U.;..Z..l.5-.25+./....~.r)..J....T.T..h....7.../.Y.....7..I.M....Sl. .>.Lqe...../.Po....Iz..................................................................................................vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.EXCEL.16.1033.hxn

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):664
                            Entropy (8bit):6.735349193169874
                            Encrypted:false
                            SSDEEP:
                            MD5:EA26CF2C55599D57B293ED31DCE12F2A
                            SHA1:99A281972DF7DD8E8A68C4C94CA9D5886813052B
                            SHA-256:27092978B814C888FCF8D8C05DE2F5BE3B4F36E6F97BD2A88A0CCDABAB543B47
                            SHA-512:2455BB73BE960F420C051E00177DBFFC0CF20686F22BC9F674809A4A4D6FD584A0CB6900814A96BABD3149A213F86FC2116D5A0A82565E20CE849CDFD0971AE5
                            Malicious:false
                            Preview:..V..4.....mM..3..<..5.....#.....r.r.....x....].$V(.+.\....p.......4.....m...3..f..5..#....r.r.....x.....nV..0.s.....}p......4.....m*..3d...+5.....#.....r.r..8..x....U..Ve...|.x.wp..v....4.....m(..3J...m5.....#....r.r..3..x......+V<.#.}.x.vp..7....4.....m(..3%.N.s5...#.....r.r..o..x....l.HVI...f.t.tp\.O.f.f.i.c.e.1.6.\.1.0.3.3.\....-.<h8.*..Pd.)../....'.../7w>cV..|F_H.*y..,..]...Z..fWD.X.#*q.{5j.X@1.L....ai.fe. ."...#. ..l....[P..<....x.6J..RO..b......E.j`.<k6...>...;....r...-). ~..E.....Qs.`..-H..uK...<.jM./.2....b;=&..|.....................................................................................@.........vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.EXCEL.16.1033.hxn.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):664
                            Entropy (8bit):6.735349193169874
                            Encrypted:false
                            SSDEEP:
                            MD5:EA26CF2C55599D57B293ED31DCE12F2A
                            SHA1:99A281972DF7DD8E8A68C4C94CA9D5886813052B
                            SHA-256:27092978B814C888FCF8D8C05DE2F5BE3B4F36E6F97BD2A88A0CCDABAB543B47
                            SHA-512:2455BB73BE960F420C051E00177DBFFC0CF20686F22BC9F674809A4A4D6FD584A0CB6900814A96BABD3149A213F86FC2116D5A0A82565E20CE849CDFD0971AE5
                            Malicious:false
                            Preview:..V..4.....mM..3..<..5.....#.....r.r.....x....].$V(.+.\....p.......4.....m...3..f..5..#....r.r.....x.....nV..0.s.....}p......4.....m*..3d...+5.....#.....r.r..8..x....U..Ve...|.x.wp..v....4.....m(..3J...m5.....#....r.r..3..x......+V<.#.}.x.vp..7....4.....m(..3%.N.s5...#.....r.r..o..x....l.HVI...f.t.tp\.O.f.f.i.c.e.1.6.\.1.0.3.3.\....-.<h8.*..Pd.)../....'.../7w>cV..|F_H.*y..,..]...Z..fWD.X.#*q.{5j.X@1.L....ai.fe. ."...#. ..l....[P..<....x.6J..RO..b......E.j`.<k6...>...;....r...-). ~..E.....Qs.`..-H..uK...<.jM./.2....b;=&..|.....................................................................................@.........vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.GRAPH.16.1033.hxn

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):664
                            Entropy (8bit):6.811614372944883
                            Encrypted:false
                            SSDEEP:
                            MD5:95A79F9993B4444A52BF2AD7156EDB25
                            SHA1:6DEB39D4F5C1112A092B27E81475DF345BD3DDC7
                            SHA-256:1D221F12742E663397844B374D42ADEBA7D4D3363CAC716C4DB4CC2784E709AA
                            SHA-512:E68DA3BC453F2D376FCBBC3DBAE604ABE0EDDAEA02B4FB6ACA3FE2010789A740E7C903DAA9EAEB0B1EC8B8397EEEA3670CE9DF90B50707C2E16B46F617B8520B
                            Malicious:false
                            Preview:..'.jgw...th.>s.'.-....:.R..Qg.^\.4..L..N4.........v.h<.M2.....'.j7w..t .fs.'.-....0.[..Q4..\.4@.^..Ns.....J..vf.0<IM .....'.j;w...t..Ys.'.-....v.;..QP.l\.4h.&..NE......%..v.._<;MO.....'.j.w...t..[s.'.-....Y.1..Q..)\.4q.n..N@.........v.`<:MO.....'.jGw..t..[s.'.-......d..Qi.R\.4#.,.N........l..v.V<!MC...\.O.f.f.i.c.e.1.6.\.1.0.3.3.\....2..;\.......?..A...l.iC.......E...e...T....(..|.Yv?Z)RV........i...xO...Y.....?..T9.u.rFt......,h.oD.D......H.Q....>..W!...R..v[`..53.."........S..9CO...*...>.L...<.U..:$Zl....h.?.e..5..o.il...G....................................................................................@.........vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.GRAPH.16.1033.hxn.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):664
                            Entropy (8bit):6.811614372944883
                            Encrypted:false
                            SSDEEP:
                            MD5:95A79F9993B4444A52BF2AD7156EDB25
                            SHA1:6DEB39D4F5C1112A092B27E81475DF345BD3DDC7
                            SHA-256:1D221F12742E663397844B374D42ADEBA7D4D3363CAC716C4DB4CC2784E709AA
                            SHA-512:E68DA3BC453F2D376FCBBC3DBAE604ABE0EDDAEA02B4FB6ACA3FE2010789A740E7C903DAA9EAEB0B1EC8B8397EEEA3670CE9DF90B50707C2E16B46F617B8520B
                            Malicious:false
                            Preview:..'.jgw...th.>s.'.-....:.R..Qg.^\.4..L..N4.........v.h<.M2.....'.j7w..t .fs.'.-....0.[..Q4..\.4@.^..Ns.....J..vf.0<IM .....'.j;w...t..Ys.'.-....v.;..QP.l\.4h.&..NE......%..v.._<;MO.....'.j.w...t..[s.'.-....Y.1..Q..)\.4q.n..N@.........v.`<:MO.....'.jGw..t..[s.'.-......d..Qi.R\.4#.,.N........l..v.V<!MC...\.O.f.f.i.c.e.1.6.\.1.0.3.3.\....2..;\.......?..A...l.iC.......E...e...T....(..|.Yv?Z)RV........i...xO...Y.....?..T9.u.rFt......,h.oD.D......H.Q....>..W!...R..v[`..53.."........S..9CO...*...>.L...<.U..:$Zl....h.?.e..5..o.il...G....................................................................................@.........vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.GROOVE.16.1033.hxn

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):670
                            Entropy (8bit):6.687903961344839
                            Encrypted:false
                            SSDEEP:
                            MD5:FE8B349B81FE95B0D4E78E8985E75B3A
                            SHA1:2A9ADEF94F88C3B0C4AD1BEEB2B0883A25C988F4
                            SHA-256:B0CC8E6F112363E7CF83C42489845ED0388B08F136E9AD70F7D49CDFFDC2D80E
                            SHA-512:BED26AA7027882EB436905D085AF39DC49C6184CF7FF454FE535C3E9AC819620846165FEFAEAD5FBC728F1C62D3D3181A84DA163F52AD324F2D59E7DAEC582E9
                            Malicious:false
                            Preview:.A.$IjliWA.Y"x....$f....*......A......X..A.C...T..x.....RPG.A.$.j>i.A.Ytx_...lf.....*.....NE......X.MA.C......\x....sR.G.A.$%jli.A.Y~xJ...Kf.....*.......A......p.5A.C....^..x.....RlG.A.$/j.iwA.YDx|...Gf.....*.....$A......i.}A.C...n.\x.....RSG.A.$.j.i6A.Y.x\...Hf.....*.....qA.......;.?A.C...d.(x.....ReGi.c.e.\.O.f.f.i.c.e.1.6.\.1.0.3.3.\...... ..*...x&.b.* .w..6..0....Y...X..L..m....s..x..x,Xw...6d]..M.....n.P...9...f...."........ .N...g........%.Q.d..I..b!v..{..".><*..1...U.T...aC......S..i..k...I7..xQx.Z.E...K6..9...PDc..lg.NGk..{...................................................................................@.........vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.GROOVE.16.1033.hxn.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):670
                            Entropy (8bit):6.687903961344839
                            Encrypted:false
                            SSDEEP:
                            MD5:FE8B349B81FE95B0D4E78E8985E75B3A
                            SHA1:2A9ADEF94F88C3B0C4AD1BEEB2B0883A25C988F4
                            SHA-256:B0CC8E6F112363E7CF83C42489845ED0388B08F136E9AD70F7D49CDFFDC2D80E
                            SHA-512:BED26AA7027882EB436905D085AF39DC49C6184CF7FF454FE535C3E9AC819620846165FEFAEAD5FBC728F1C62D3D3181A84DA163F52AD324F2D59E7DAEC582E9
                            Malicious:false
                            Preview:.A.$IjliWA.Y"x....$f....*......A......X..A.C...T..x.....RPG.A.$.j>i.A.Ytx_...lf.....*.....NE......X.MA.C......\x....sR.G.A.$%jli.A.Y~xJ...Kf.....*.......A......p.5A.C....^..x.....RlG.A.$/j.iwA.YDx|...Gf.....*.....$A......i.}A.C...n.\x.....RSG.A.$.j.i6A.Y.x\...Hf.....*.....qA.......;.?A.C...d.(x.....ReGi.c.e.\.O.f.f.i.c.e.1.6.\.1.0.3.3.\...... ..*...x&.b.* .w..6..0....Y...X..L..m....s..x..x,Xw...6d]..M.....n.P...9...f...."........ .N...g........%.Q.d..I..b!v..{..".><*..1...U.T...aC......S..i..k...I7..xQx.Z.E...K6..9...PDc..lg.NGk..{...................................................................................@.........vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.LYNC.16.1033.hxn

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):658
                            Entropy (8bit):6.798487233903024
                            Encrypted:false
                            SSDEEP:
                            MD5:DCB28CAA9ACEBFE6218EE20987FDC6F0
                            SHA1:275D7AD28FD0F836CB314C219F0083BAE8420BA3
                            SHA-256:1B6CBA3F15854B3B8B8B2E320279AFBC43AB1D9B8189CACAF2AD0061A663F4A8
                            SHA-512:2EDB9BF8F1C2D818A42F93A6A92239D9D68B4C851044698E86F339331A1372F52D0AFE2A795E97C16CD782D2EC8C6A33BF492C72A832907C41217F12FBAA17E0
                            Malicious:false
                            Preview:U.....c.....,..%..=u.W...../.<.>^XJ.x..7..!.mY.I_.5e2..}..Z......+....,..%..=u..W....\/.<..}^HJ.x...7..b..Y.I..feN..}..9...........M..%..{u..;....}/.<..E^~J=x..7....1Y.It..eD..}..L.7.........c..%..Tu.2...../.<..N^{JHx...7..X..Y.Iu..eE..}..n.q............%...u..~....4/.<...^;J{x..7..-.%Y.In..eG..}..e.f.i.c.e.1.6.\.1.0.3.3.\...G..m....P..-.+.....G...v..gX.i$"|.......^.F@.. ...s^......emU..H].{.......C...7.C..$R..Y..b.....}.W.p;.4...n.k.....)....y./Q..x...r......kc....FX.k..N-Z.v.Tf.14...Q....IK.....#...q.....6.wH.'.h.....................................................................................@.........vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.LYNC.16.1033.hxn.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):658
                            Entropy (8bit):6.798487233903024
                            Encrypted:false
                            SSDEEP:
                            MD5:DCB28CAA9ACEBFE6218EE20987FDC6F0
                            SHA1:275D7AD28FD0F836CB314C219F0083BAE8420BA3
                            SHA-256:1B6CBA3F15854B3B8B8B2E320279AFBC43AB1D9B8189CACAF2AD0061A663F4A8
                            SHA-512:2EDB9BF8F1C2D818A42F93A6A92239D9D68B4C851044698E86F339331A1372F52D0AFE2A795E97C16CD782D2EC8C6A33BF492C72A832907C41217F12FBAA17E0
                            Malicious:false
                            Preview:U.....c.....,..%..=u.W...../.<.>^XJ.x..7..!.mY.I_.5e2..}..Z......+....,..%..=u..W....\/.<..}^HJ.x...7..b..Y.I..feN..}..9...........M..%..{u..;....}/.<..E^~J=x..7....1Y.It..eD..}..L.7.........c..%..Tu.2...../.<..N^{JHx...7..X..Y.Iu..eE..}..n.q............%...u..~....4/.<...^;J{x..7..-.%Y.In..eG..}..e.f.i.c.e.1.6.\.1.0.3.3.\...G..m....P..-.+.....G...v..gX.i$"|.......^.F@.. ...s^......emU..H].{.......C...7.C..$R..Y..b.....}.W.p;.4...n.k.....)....y./Q..x...r......kc....FX.k..N-Z.v.Tf.14...Q....IK.....#...q.....6.wH.'.h.....................................................................................@.........vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.LYNC_BASIC.16.1033.hxn

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):694
                            Entropy (8bit):6.6788496588302415
                            Encrypted:false
                            SSDEEP:
                            MD5:D1C96702F4311A6B373C1DB0C0A8C0C8
                            SHA1:FD17A75BCF9E9BE0BCAE7E0A7BC0C2FAC4EC297C
                            SHA-256:C8127112AA6C393D88178694BB788868310032CE0BA973ADE9C358F0381079F2
                            SHA-512:5244721213239CAD6D0E392EE11C83648EC2F9CBD818E75836A5C11EFBAE207CD8544EB5A5CE33F9D3409F62945DE5B70E3F04F39A48B54C124BB5B472796573
                            Malicious:false
                            Preview:..l ...q...Y.'.;.R.v(!.Jj3i........bQ....66[..h..............1[.? ..q...Y['.;.R.v.!.J03*........tQ..{.-6J..h.......B.F...E1..l ...q...Y.'.;.R.v.!.J.3i......aQ..'..6u..h.......".*...61:.D ...q...Y_'.;.R.v"!.J.3.........[Q..<..6w..h.......(.#...s1F.] ...q...Yo'.;.R.v.!.J.3..........Q..<..6w..h.......}.o....1i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.1.0.3.3.\.....C#.0.#...`SC..~c..!s..rU.k....m.^zy..F.^..-@u.1.w...?0..?......W..9QRy"[......Q+[.gzYm.H..-h...5..nv...K.....>F..M..lx...6*.p.#.]8d_PH..w...s[J.e.%...t. ...~../..}...;t.#+..&..z...D.C....GA...v......................................................................................@.........vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.LYNC_BASIC.16.1033.hxn.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):694
                            Entropy (8bit):6.6788496588302415
                            Encrypted:false
                            SSDEEP:
                            MD5:D1C96702F4311A6B373C1DB0C0A8C0C8
                            SHA1:FD17A75BCF9E9BE0BCAE7E0A7BC0C2FAC4EC297C
                            SHA-256:C8127112AA6C393D88178694BB788868310032CE0BA973ADE9C358F0381079F2
                            SHA-512:5244721213239CAD6D0E392EE11C83648EC2F9CBD818E75836A5C11EFBAE207CD8544EB5A5CE33F9D3409F62945DE5B70E3F04F39A48B54C124BB5B472796573
                            Malicious:false
                            Preview:..l ...q...Y.'.;.R.v(!.Jj3i........bQ....66[..h..............1[.? ..q...Y['.;.R.v.!.J03*........tQ..{.-6J..h.......B.F...E1..l ...q...Y.'.;.R.v.!.J.3i......aQ..'..6u..h.......".*...61:.D ...q...Y_'.;.R.v"!.J.3.........[Q..<..6w..h.......(.#...s1F.] ...q...Yo'.;.R.v.!.J.3..........Q..<..6w..h.......}.o....1i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.1.0.3.3.\.....C#.0.#...`SC..~c..!s..rU.k....m.^zy..F.^..-@u.1.w...?0..?......W..9QRy"[......Q+[.gzYm.H..-h...5..nv...K.....>F..M..lx...6*.p.#.]8d_PH..w...s[J.e.%...t. ...~../..}...;t.#+..&..z...D.C....GA...v......................................................................................@.........vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.LYNC_ONLINE.16.1033.hxn

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):700
                            Entropy (8bit):6.902518070985199
                            Encrypted:false
                            SSDEEP:
                            MD5:14DAB6B1F48C5B1887D67885D4257644
                            SHA1:EDFCDA0BDFDCC82CF590F1C29E63A70E5C4DBEF5
                            SHA-256:A5E90FB950C11A26846ABEC3377D97BC2A247B1960D51C137BD91E0D48DAD304
                            SHA-512:9D74632E26C02F50B9CBF08465AC03371E34B526181C1293CC59F70CEB3E344DEE96DBE54739D4F81FE2B242B10DD2C9E04EF3F50735624DC825A07BA768AEB1
                            Malicious:false
                            Preview:..TS....X.O....wO.}..(...x..T.(.F..<`;+.".F.|c.{bvQ!<.2...T...^..S^.........w.....(..Sx..T.(.F..-`8+.".J..c.{$v.!p.k........US....X.O....wJ.}..(...x'..T.(ZF:.c`7+l".._.@c.{.v#!.....Q...}.1Sa...p.7...wc.!..(.|x..T.(5F0..`T+.".i.[c.{.v.!?.....~...t.eS$...i.....w.....(..%x..T.(5F1..`.+;"..I.[c.{.v"!P.C.../...8..S_...;.=....w%....(..Px..T.(9F3.?`;+0".f.Qc.{Mvg!,.Z..$...\....S^7m1..*....Gf...L.p."+b..5.2.;.`.R:...B...E......^e..eJ.n77t8.7.3...I'3~o.~.V.,.e...t.p...j._.G.=..I........!.....{.NO.\&c.n.2p..W.H..f.q...xRx...R.\.E....y.F7....p.*...n#Ep.MF....K... 8GNp..>...............................................................................................vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.LYNC_ONLINE.16.1033.hxn.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):700
                            Entropy (8bit):6.902518070985199
                            Encrypted:false
                            SSDEEP:
                            MD5:14DAB6B1F48C5B1887D67885D4257644
                            SHA1:EDFCDA0BDFDCC82CF590F1C29E63A70E5C4DBEF5
                            SHA-256:A5E90FB950C11A26846ABEC3377D97BC2A247B1960D51C137BD91E0D48DAD304
                            SHA-512:9D74632E26C02F50B9CBF08465AC03371E34B526181C1293CC59F70CEB3E344DEE96DBE54739D4F81FE2B242B10DD2C9E04EF3F50735624DC825A07BA768AEB1
                            Malicious:false
                            Preview:..TS....X.O....wO.}..(...x..T.(.F..<`;+.".F.|c.{bvQ!<.2...T...^..S^.........w.....(..Sx..T.(.F..-`8+.".J..c.{$v.!p.k........US....X.O....wJ.}..(...x'..T.(ZF:.c`7+l".._.@c.{.v#!.....Q...}.1Sa...p.7...wc.!..(.|x..T.(5F0..`T+.".i.[c.{.v.!?.....~...t.eS$...i.....w.....(..%x..T.(5F1..`.+;"..I.[c.{.v"!P.C.../...8..S_...;.=....w%....(..Px..T.(9F3.?`;+0".f.Qc.{Mvg!,.Z..$...\....S^7m1..*....Gf...L.p."+b..5.2.;.`.R:...B...E......^e..eJ.n77t8.7.3...I'3~o.~.V.,.e...t.p...j._.G.=..I........!.....{.NO.\&c.n.2p..W.H..f.q...xRx...R.\.E....y.F7....p.*...n#Ep.MF....K... 8GNp..>...............................................................................................vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.MSACCESS.16.1033.hxn

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):682
                            Entropy (8bit):6.693144519355536
                            Encrypted:false
                            SSDEEP:
                            MD5:388BEACA2991B7C6D5DA82713D1D6145
                            SHA1:2242E0BC0322F901B413653542D8B169FBFEEB54
                            SHA-256:23D64DA3400C730299268150D8A35651FBB4A3A14BDDA800FE507A6FC97526BA
                            SHA-512:E6B276A56BA96DAEAF09078C2DDB193E9CBA7725FFCEBD345686D839C2F2A830D61F15414CC88798BBE8B542547B93848E89589EF845FC158630672EFC0D1A98
                            Malicious:false
                            Preview:./..R.;.....V.Sm.V....8w.$.^.......t..*~.....o....(C@_.Yy...A./...R.;.........m]V.....8$.G.E.......1.*-.....#.\.(.@...y..A./..R.;.....V.:m.V....8'...b.(.....\.*k....G./.((@d.$y..A./...R.;..s...9.0mjV.....8....n.*.....W..*D......j..(1@,./y...A./...R.;..L...9.1mlV.....81...a.*........*......~....(c@n.sy...Af.t. .O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.1.0.3.3.\...u......_.zm"..&..Vxt...5....Z.E..2...%....g.n{u.......o.@.iA.}..........O.....+>.U......*.B..~.q.M...A....T@....,.....n.7.p.....U....-...<....."%......?m.*.....R|.7%.....5..^....z........y..kw.lm9...................................................................................@.........vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.MSACCESS.16.1033.hxn.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):682
                            Entropy (8bit):6.693144519355536
                            Encrypted:false
                            SSDEEP:
                            MD5:388BEACA2991B7C6D5DA82713D1D6145
                            SHA1:2242E0BC0322F901B413653542D8B169FBFEEB54
                            SHA-256:23D64DA3400C730299268150D8A35651FBB4A3A14BDDA800FE507A6FC97526BA
                            SHA-512:E6B276A56BA96DAEAF09078C2DDB193E9CBA7725FFCEBD345686D839C2F2A830D61F15414CC88798BBE8B542547B93848E89589EF845FC158630672EFC0D1A98
                            Malicious:false
                            Preview:./..R.;.....V.Sm.V....8w.$.^.......t..*~.....o....(C@_.Yy...A./...R.;.........m]V.....8$.G.E.......1.*-.....#.\.(.@...y..A./..R.;.....V.:m.V....8'...b.(.....\.*k....G./.((@d.$y..A./...R.;..s...9.0mjV.....8....n.*.....W..*D......j..(1@,./y...A./...R.;..L...9.1mlV.....81...a.*........*......~....(c@n.sy...Af.t. .O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.1.0.3.3.\...u......_.zm"..&..Vxt...5....Z.E..2...%....g.n{u.......o.@.iA.}..........O.....+>.U......*.B..~.q.M...A....T@....,.....n.7.p.....U....-...<....."%......?m.*.....R|.7%.....5..^....z........y..kw.lm9...................................................................................@.........vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.MSOUC.16.1033.hxn

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):664
                            Entropy (8bit):6.789886032267931
                            Encrypted:false
                            SSDEEP:
                            MD5:DF4AEA5C4C89E0E78AB366510432272E
                            SHA1:BD2383069502E596C4BC16E7055C82F051B78EE5
                            SHA-256:D3222FF5AF569CBAB3A68F0C5776A0A36586CE20EEAD80624DB193E3AFD2DA9C
                            SHA-512:AF1BF944E57D8D22963180BEEA09E870CD033A5CA4F30A469EE402D2445637BC6000979138EA2AAE50397A593E4ECC5BBB7C7E11D26E8FA95915522B34C512E4
                            Malicious:false
                            Preview:...o...R&..............}P.y.q..S..s...`..Ve...,J..X............\oJ..Re...........I...wP.}.q.....s...`...e..[,...XQ.%..........Lo?..Rv..........$..1Piy.q..o..s..o`..-e...,R..X2.....n..../oJ..R@........./....Pcy.q..*..s..'`..(e..7,...Xk.....n....noh..R`..........a...OP6y.q..Q..s..e`..he..=,k..X......b..\.O.f.f.i.c.e.1.6.\.1.0.3.3.\...`....zO...w}..y..&D....~.....YK-.3......K.....e.&X.\.tS..An..5..;.sk...a*a. .0l7......F"..3.v..l.xG9,3.....r..03...:.g8..^.o.x.......9[m..=,E+\.p.l..P....-..p...._...Fv...j.....-.l..N.....A>.....................................................................................@.........vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.MSOUC.16.1033.hxn.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):664
                            Entropy (8bit):6.789886032267931
                            Encrypted:false
                            SSDEEP:
                            MD5:DF4AEA5C4C89E0E78AB366510432272E
                            SHA1:BD2383069502E596C4BC16E7055C82F051B78EE5
                            SHA-256:D3222FF5AF569CBAB3A68F0C5776A0A36586CE20EEAD80624DB193E3AFD2DA9C
                            SHA-512:AF1BF944E57D8D22963180BEEA09E870CD033A5CA4F30A469EE402D2445637BC6000979138EA2AAE50397A593E4ECC5BBB7C7E11D26E8FA95915522B34C512E4
                            Malicious:false
                            Preview:...o...R&..............}P.y.q..S..s...`..Ve...,J..X............\oJ..Re...........I...wP.}.q.....s...`...e..[,...XQ.%..........Lo?..Rv..........$..1Piy.q..o..s..o`..-e...,R..X2.....n..../oJ..R@........./....Pcy.q..*..s..'`..(e..7,...Xk.....n....noh..R`..........a...OP6y.q..Q..s..e`..he..=,k..X......b..\.O.f.f.i.c.e.1.6.\.1.0.3.3.\...`....zO...w}..y..&D....~.....YK-.3......K.....e.&X.\.tS..An..5..;.sk...a*a. .0l7......F"..3.v..l.xG9,3.....r..03...:.g8..^.o.x.......9[m..=,E+\.p.l..P....-..p...._...Fv...j.....-.l..N.....A>.....................................................................................@.........vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.MSPUB.16.1033.hxn

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):664
                            Entropy (8bit):6.743350466204789
                            Encrypted:false
                            SSDEEP:
                            MD5:D65E4C22BB26D763B70592138D108204
                            SHA1:5A9BDD93B2BD8229F13BB14CA650B7ADEF51AEF5
                            SHA-256:BEECDF91546852FB6ED138E9611AEC17518841162233A6A500E1D5677F676D12
                            SHA-512:A24A9BF2F0CEA042BA83D00A91456CF880A4CE40BB292C5CDD7A2E99D966449E83E007CD939E922F23785DBC473E3A432FCCA84AD6C41D287936C069F79E1C42
                            Malicious:false
                            Preview:DR3.Pyo.J...#....-D.N......$../...%UA#.6.7..;.88.rD/...G......R`..y:.....#....-D.N......i./...%.A1.6.z..;.8m.6D..k..G.....@Rp.jy3......#....LD.N......../...%?AI...L..;.8 .YDb....G......4R...y..,....#....bD.N......./..%&A....I..;.8m.sD;...G......2RR.=yO......#.....D.N....@../...%tAC.Y....;.8...DN...G......\.O.f.f.i.c.e.1.6.\.1.0.3.3.\....a..$sv`...U(.S.n"f..B...JgQ.F..D......UK-..h.F...qB...q....Qe.;..s.....Jv#9u..2Z=9...<....)v%.a.^..<=;.{.)..&q].~G...{...Q.T..`.3.U.!.[.cz..qq._c..h.y.z.......9..Q..G.^.T....c...?.L.DD...l..@....@....................................................................................@.........vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.MSPUB.16.1033.hxn.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):664
                            Entropy (8bit):6.743350466204789
                            Encrypted:false
                            SSDEEP:
                            MD5:D65E4C22BB26D763B70592138D108204
                            SHA1:5A9BDD93B2BD8229F13BB14CA650B7ADEF51AEF5
                            SHA-256:BEECDF91546852FB6ED138E9611AEC17518841162233A6A500E1D5677F676D12
                            SHA-512:A24A9BF2F0CEA042BA83D00A91456CF880A4CE40BB292C5CDD7A2E99D966449E83E007CD939E922F23785DBC473E3A432FCCA84AD6C41D287936C069F79E1C42
                            Malicious:false
                            Preview:DR3.Pyo.J...#....-D.N......$../...%UA#.6.7..;.88.rD/...G......R`..y:.....#....-D.N......i./...%.A1.6.z..;.8m.6D..k..G.....@Rp.jy3......#....LD.N......../...%?AI...L..;.8 .YDb....G......4R...y..,....#....bD.N......./..%&A....I..;.8m.sD;...G......2RR.=yO......#.....D.N....@../...%tAC.Y....;.8...DN...G......\.O.f.f.i.c.e.1.6.\.1.0.3.3.\....a..$sv`...U(.S.n"f..B...JgQ.F..D......UK-..h.F...qB...q....Qe.;..s.....Jv#9u..2Z=9...<....)v%.a.^..<=;.{.)..&q].~G...{...Q.T..`.3.U.!.[.cz..qq._c..h.y.z.......9..Q..G.^.T....c...?.L.DD...l..@....@....................................................................................@.........vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.ONENOTE.16.1033.hxn

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):676
                            Entropy (8bit):6.783132154753286
                            Encrypted:false
                            SSDEEP:
                            MD5:C3C2B912E789DACA18227D7CD681C999
                            SHA1:C5A1ECA62D4CF838C94B9EC379CD21394B7AEB01
                            SHA-256:CF8E0894D48303D6FD0760141FB0A632BB9F43CCD08ED660A3ED780886CD636F
                            SHA-512:F3002B60B3B734BAF28F53FB1F91082F4E821D10C46E1FA510C1A0C56E45998944E53ED6747FF68B149BB98FC003A05DFF48C316CBF1AAFD96DEB74D4A0560D0
                            Malicious:false
                            Preview:y?...l.5..*.. ppp...h..sw:h=g.'.pk.......TA...hc.[..R...*.F.%?...l.z...o.. :p$...F...+w&hsgT'.p$._....TA...-c.[Y.........}?...m.5...*.. Op,........w.h.g9'.pb.?.....'A...Uc.[o./...I.g..?......Z...^. :p.........w)h<g2'.pM.5...+.bA...c.[j.Z.....M.G?......Z...X.. .pP........w.hSg|'.p..`..F..A.._c.[*.i...p...O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.1.0.3.3.\...<V..HSY...k....^9.j......,.....U...&n9.t..DK.;...m."k.|.E...s..H..C..5VJV.0>..m...I..G......U....ZAm.!W.....UH%.|.....cQ9C.}Sf...W\...rb{F.Y.:.%.\...[,.4....^5..!...N4.en.......|.{.<..]...q<.!;....................................................................................@.........vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.ONENOTE.16.1033.hxn.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):676
                            Entropy (8bit):6.783132154753286
                            Encrypted:false
                            SSDEEP:
                            MD5:C3C2B912E789DACA18227D7CD681C999
                            SHA1:C5A1ECA62D4CF838C94B9EC379CD21394B7AEB01
                            SHA-256:CF8E0894D48303D6FD0760141FB0A632BB9F43CCD08ED660A3ED780886CD636F
                            SHA-512:F3002B60B3B734BAF28F53FB1F91082F4E821D10C46E1FA510C1A0C56E45998944E53ED6747FF68B149BB98FC003A05DFF48C316CBF1AAFD96DEB74D4A0560D0
                            Malicious:false
                            Preview:y?...l.5..*.. ppp...h..sw:h=g.'.pk.......TA...hc.[..R...*.F.%?...l.z...o.. :p$...F...+w&hsgT'.p$._....TA...-c.[Y.........}?...m.5...*.. Op,........w.h.g9'.pb.?.....'A...Uc.[o./...I.g..?......Z...^. :p.........w)h<g2'.pM.5...+.bA...c.[j.Z.....M.G?......Z...X.. .pP........w.hSg|'.p..`..F..A.._c.[*.i...p...O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.1.0.3.3.\...<V..HSY...k....^9.j......,.....U...&n9.t..DK.;...m."k.|.E...s..H..C..5VJV.0>..m...I..G......U....ZAm.!W.....UH%.|.....cQ9C.}Sf...W\...rb{F.Y.:.%.\...[,.4....^5..!...N4.en.......|.{.<..]...q<.!;....................................................................................@.........vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.OUTLOOK.16.1033.hxn

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):676
                            Entropy (8bit):6.700684483579208
                            Encrypted:false
                            SSDEEP:
                            MD5:8AE982EECF9D302982F6F0B59CF67051
                            SHA1:A518460DD789D97DC493D0FB9AF936BB954CE0D2
                            SHA-256:65959D0D3BC7CC992E69DB04F39933EC1D3A542D3A65BD84202E02C438E61BB8
                            SHA-512:35CB569B824A630A362A074132979CBD717497571A41A7122C248B9378A1145B7637C705440867D2D886C40B8B9249790065D4A43A568676F6AE766EEAC32978
                            Malicious:false
                            Preview:1Z._.{......@Ii..X..$7......{.[.4a.Z.+.......AR..v0...."*.....mZ._.{......@.i.....$..A.v..{.[.4-..Z^/.......A..v|.N.O"a.(..5Z1_.{.....@.i.....$E.f.I.-{.[.4..Z>+....n..A/..vD.x.f"=.e...VZ._k{......@ii..>..$^.j.K..{.[.4K.Z4+....+..A6.vO.}.."..(....Z._T{......@(i..x..$^.e.K.,{.[.4U..Za+....P..Ad..v..=. "..\..O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.1.0.3.3.\...P....-Z...k.4.h..)J.].....9 f/<.."|..tZy..Yb.7.K......{1..J$.....!X>......@(.t#...z...q...>L.a..c(.m.I.w..!....B!..]...].*.[..d..7.... l.g.....{.d.L.LG...t..LVg..H.s]*.a.v[.........rj$.D...v"..<D.......................................................................................@.........vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.OUTLOOK.16.1033.hxn.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):676
                            Entropy (8bit):6.700684483579208
                            Encrypted:false
                            SSDEEP:
                            MD5:8AE982EECF9D302982F6F0B59CF67051
                            SHA1:A518460DD789D97DC493D0FB9AF936BB954CE0D2
                            SHA-256:65959D0D3BC7CC992E69DB04F39933EC1D3A542D3A65BD84202E02C438E61BB8
                            SHA-512:35CB569B824A630A362A074132979CBD717497571A41A7122C248B9378A1145B7637C705440867D2D886C40B8B9249790065D4A43A568676F6AE766EEAC32978
                            Malicious:false
                            Preview:1Z._.{......@Ii..X..$7......{.[.4a.Z.+.......AR..v0...."*.....mZ._.{......@.i.....$..A.v..{.[.4-..Z^/.......A..v|.N.O"a.(..5Z1_.{.....@.i.....$E.f.I.-{.[.4..Z>+....n..A/..vD.x.f"=.e...VZ._k{......@ii..>..$^.j.K..{.[.4K.Z4+....+..A6.vO.}.."..(....Z._T{......@(i..x..$^.e.K.,{.[.4U..Za+....P..Ad..v..=. "..\..O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.1.0.3.3.\...P....-Z...k.4.h..)J.].....9 f/<.."|..tZy..Yb.7.K......{1..J$.....!X>......@(.t#...z...q...>L.a..c(.m.I.w..!....B!..]...].*.[..d..7.... l.g.....{.d.L.LG...t..LVg..H.s]*.a.v[.........rj$.D...v"..<D.......................................................................................@.........vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.POWERPNT.16.1033.hxn

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):682
                            Entropy (8bit):6.692582521593951
                            Encrypted:false
                            SSDEEP:
                            MD5:83E46A4A78E3A2985026ABC72E25215C
                            SHA1:30E8BC7FDF64F92A4A225BB119513DEEDC7A8632
                            SHA-256:82A7E706EABBFDEDC7A97407E2717403160331202E5EBB78CD48C39100A3D89F
                            SHA-512:4B73E1FE7FB87F81E06D7844A89581C97E1BD0A8D8682415FA5E21973233FFCC4EEB5E0C3889146A75A0E6E8BDE24502FCA696C75D9BD3DC5B537459C975BB01
                            Malicious:false
                            Preview:.......;W..T.B*.........O..3/.R...f"1...<..3%....0.....U....f....;O..T.Be.............1..3 .D...^fl1...<.U3j....0.....U.........;...T.B*...........m..3..e..3fL1....P.13.....0.....U..c....;%.zT.BE.............v..3..K..8f.1....Y.e3\....0.....U........;..ET.BE............v..3..d...vf.1......3'....0.....U..f.t. .O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.1.0.3.3.\...cB.,,..ICW.......O...E.-C..".%.7QO.$H..)..'...Q..%.....D..L.hW.f..d........t|`...m.#!j..m....%.c...}.@...i{C...pT...m.Be...d@^..S..e...{ ...6..XU...!.....#..<Ou.\.3Z.C#...m..nh@..U5,M.:M.(.... 1.L...................................................................................@.........vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.POWERPNT.16.1033.hxn.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):682
                            Entropy (8bit):6.692582521593951
                            Encrypted:false
                            SSDEEP:
                            MD5:83E46A4A78E3A2985026ABC72E25215C
                            SHA1:30E8BC7FDF64F92A4A225BB119513DEEDC7A8632
                            SHA-256:82A7E706EABBFDEDC7A97407E2717403160331202E5EBB78CD48C39100A3D89F
                            SHA-512:4B73E1FE7FB87F81E06D7844A89581C97E1BD0A8D8682415FA5E21973233FFCC4EEB5E0C3889146A75A0E6E8BDE24502FCA696C75D9BD3DC5B537459C975BB01
                            Malicious:false
                            Preview:.......;W..T.B*.........O..3/.R...f"1...<..3%....0.....U....f....;O..T.Be.............1..3 .D...^fl1...<.U3j....0.....U.........;...T.B*...........m..3..e..3fL1....P.13.....0.....U..c....;%.zT.BE.............v..3..K..8f.1....Y.e3\....0.....U........;..ET.BE............v..3..d...vf.1......3'....0.....U..f.t. .O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.1.0.3.3.\...cB.,,..ICW.......O...E.-C..".%.7QO.$H..)..'...Q..%.....D..L.hW.f..d........t|`...m.#!j..m....%.c...}.@...i{C...pT...m.Be...d@^..S..e...{ ...6..XU...!.....#..<Ou.\.3Z.C#...m..nh@..U5,M.:M.(.... 1.L...................................................................................@.........vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.SETLANG.16.1033.hxn

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):676
                            Entropy (8bit):6.719795376156817
                            Encrypted:false
                            SSDEEP:
                            MD5:6DD17A1D53396D60D7832C1B272DCB02
                            SHA1:2A1CCBBF65F606F83401F1E0A5120B271F08F5A8
                            SHA-256:479FB642C1843A2AF67060EC614500B8BA5941A6BF390BBEEEC924DEE2E82FC9
                            SHA-512:A410C15336C3B2AD97452D3F5AC9348EC9654B6F0446D54714D20696D660B3EB893EA0A227D43AB106C85A96CB25B8920518B9C12C96D7B70C8F3294EFB72543
                            Malicious:false
                            Preview:.e!.........&...8.U .+...;z..?#.=......x.....y..N#.....p...er..........j..8.U..m.C.;z...s#.=.H...x.\....y...#.i..p...e..........e...8.UR.J.|..z..S#.=..$....}..y..9#..5..p...eS............8.UI.F.~.4z...#.=..-...N....y..<#.....p...e}.........G..8.UI.I.~..z....#.=.a..5.4...y..|#.....p..O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.1.0.3.3.\.....W..9..Xc....q......"...S..a.+V.U.u.f...c.d..d...-.@*.0}2a....".....)5..$.fTH...Ya.'..\O......."....U..]........8.....XM...Kk.p..m!..kl.)KX....K..;a.....5P.(..(..o..myF.>......N)....:E.x,s..Z...................................................................................@.........vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.SETLANG.16.1033.hxn.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):676
                            Entropy (8bit):6.719795376156817
                            Encrypted:false
                            SSDEEP:
                            MD5:6DD17A1D53396D60D7832C1B272DCB02
                            SHA1:2A1CCBBF65F606F83401F1E0A5120B271F08F5A8
                            SHA-256:479FB642C1843A2AF67060EC614500B8BA5941A6BF390BBEEEC924DEE2E82FC9
                            SHA-512:A410C15336C3B2AD97452D3F5AC9348EC9654B6F0446D54714D20696D660B3EB893EA0A227D43AB106C85A96CB25B8920518B9C12C96D7B70C8F3294EFB72543
                            Malicious:false
                            Preview:.e!.........&...8.U .+...;z..?#.=......x.....y..N#.....p...er..........j..8.U..m.C.;z...s#.=.H...x.\....y...#.i..p...e..........e...8.UR.J.|..z..S#.=..$....}..y..9#..5..p...eS............8.UI.F.~.4z...#.=..-...N....y..<#.....p...e}.........G..8.UI.I.~..z....#.=.a..5.4...y..|#.....p..O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.1.0.3.3.\.....W..9..Xc....q......"...S..a.+V.U.u.f...c.d..d...-.@*.0}2a....".....)5..$.fTH...Ya.'..\O......."....U..]........8.....XM...Kk.p..m!..kl.)KX....K..;a.....5P.(..(..o..myF.>......N)....:E.x,s..Z...................................................................................@.........vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.SKYPEFB.16.1033.hxn

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):676
                            Entropy (8bit):6.810210386329529
                            Encrypted:false
                            SSDEEP:
                            MD5:07B0177700B39CFE2DB0B1599932D47E
                            SHA1:79910163A5D4295D702E22DAFAA95F1A166BC688
                            SHA-256:F40EDFEEC7846545E97C6C6D6C262A4F8436069D8E9B4EB311F4BE783BDBA27C
                            SHA-512:F505911F3D92DD15339C3C4FF8F55FC4A4014D06D4B7906F41F3FFDD974B4C4C2FBF2EC76EEBD8CDF45F9D36F877DFD05F403C4075DFA1E0075F8C24C0D8F18B
                            Malicious:false
                            Preview:r...s.5..{.u..WKj.?G.'.....34/.v...o.9d.M`......X ....8.."S......e.5.X{..,..W.jT?c.....]..x4v.&.D. .{d.M`..]..Xp...F8..S..v...s.4..{..u..WtjN?q.U...b...4......@..d.M...u..XH...o8..AS........F.d{.....W.jt?G.N...`..74..@.-.J..d.MV..l..XC....8...S..L...#.G.d{.....W#j2?g.N...`..X4^.^.|...Rd.M-...>..X....)8..xS.O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.1.0.3.3.\...r.9.O...z.%.....M.`TzS..y..K.Vx.u....{;g.0.C....^.6`.7......6+]..j.%..|...../.5...ZW.kYi....<T........lq...\U.5../.Y..Q~.a..V!.#..F/U.....%.x....z.Hy....c0..S,.0.......:..../.W.H.J....2......{G.....................................................................................@.........vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.SKYPEFB.16.1033.hxn.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):676
                            Entropy (8bit):6.810210386329529
                            Encrypted:false
                            SSDEEP:
                            MD5:07B0177700B39CFE2DB0B1599932D47E
                            SHA1:79910163A5D4295D702E22DAFAA95F1A166BC688
                            SHA-256:F40EDFEEC7846545E97C6C6D6C262A4F8436069D8E9B4EB311F4BE783BDBA27C
                            SHA-512:F505911F3D92DD15339C3C4FF8F55FC4A4014D06D4B7906F41F3FFDD974B4C4C2FBF2EC76EEBD8CDF45F9D36F877DFD05F403C4075DFA1E0075F8C24C0D8F18B
                            Malicious:false
                            Preview:r...s.5..{.u..WKj.?G.'.....34/.v...o.9d.M`......X ....8.."S......e.5.X{..,..W.jT?c.....]..x4v.&.D. .{d.M`..]..Xp...F8..S..v...s.4..{..u..WtjN?q.U...b...4......@..d.M...u..XH...o8..AS........F.d{.....W.jt?G.N...`..74..@.-.J..d.MV..l..XC....8...S..L...#.G.d{.....W#j2?g.N...`..X4^.^.|...Rd.M-...>..X....)8..xS.O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.1.0.3.3.\...r.9.O...z.%.....M.`TzS..y..K.Vx.u....{;g.0.C....^.6`.7......6+]..j.%..|...../.5...ZW.kYi....<T........lq...\U.5../.Y..Q~.a..V!.#..F/U.....%.x....z.Hy....c0..S,.0.......:..../.W.H.J....2......{G.....................................................................................@.........vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.SKYPEFB_BASIC.16.1033.hxn

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):712
                            Entropy (8bit):6.8939584280013975
                            Encrypted:false
                            SSDEEP:
                            MD5:86A14C0555486302567A0C66657407FD
                            SHA1:B382417719489AAC3EB7B688E0D4E31903E9DEF4
                            SHA-256:79F95411FA06AF3E398F149374D9A1B39B05CE99725D400FB8A4DE8BE40390E8
                            SHA-512:EE56CE24419701F629EDBB4DBA8858EBD208EBCD204FB10B15A532AA50F87517CEFFB4340BA0EF0D509C710D2CD0CCE647440A25F2663A90A738AA6F9F4D039C
                            Malicious:false
                            Preview:.S.d..D4..@.z.a$}..}.(%.4k..TV.'..pX.....N.n..F.K....ev...+}.S.d...4\...;.2$1..}.(m.vk..%V.'..lX....N.p..F.[.}.Xe....*}.S.d..D4..I.z.`$x..}*(%..k...V.'....5XQ.S.....C.RF.2.h.KeW....}.S.d..d4E.)....$...}.(]..k...V.'..VX.<..c.I.&F..G.R.}eL....}.S.d.."4j.#...P$N..}.(...k..[V.'....X....c.H. F.e...]eL....}.S.d..<4;.v.S.=$5..}I(W.Ak..hV.'..zX.5..o.J..F.n.R.reF...C}6.\.1.0.3.3.\......6.3.+...<.....H....B5Y....>2L.7y...g...J.f...~.K..!.....2.......SMj8..(A@..../. K.d.p...6".).o9*.>.|.........J".w....*.-.P....r...=.....9. ...f..X......3.qB..Z.f.sY.......P.i..fy...]...$!b.x.A..?.+=.............................................................................................vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.SKYPEFB_BASIC.16.1033.hxn.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):712
                            Entropy (8bit):6.8939584280013975
                            Encrypted:false
                            SSDEEP:
                            MD5:86A14C0555486302567A0C66657407FD
                            SHA1:B382417719489AAC3EB7B688E0D4E31903E9DEF4
                            SHA-256:79F95411FA06AF3E398F149374D9A1B39B05CE99725D400FB8A4DE8BE40390E8
                            SHA-512:EE56CE24419701F629EDBB4DBA8858EBD208EBCD204FB10B15A532AA50F87517CEFFB4340BA0EF0D509C710D2CD0CCE647440A25F2663A90A738AA6F9F4D039C
                            Malicious:false
                            Preview:.S.d..D4..@.z.a$}..}.(%.4k..TV.'..pX.....N.n..F.K....ev...+}.S.d...4\...;.2$1..}.(m.vk..%V.'..lX....N.p..F.[.}.Xe....*}.S.d..D4..I.z.`$x..}*(%..k...V.'....5XQ.S.....C.RF.2.h.KeW....}.S.d..d4E.)....$...}.(]..k...V.'..VX.<..c.I.&F..G.R.}eL....}.S.d.."4j.#...P$N..}.(...k..[V.'....X....c.H. F.e...]eL....}.S.d..<4;.v.S.=$5..}I(W.Ak..hV.'..zX.5..o.J..F.n.R.reF...C}6.\.1.0.3.3.\......6.3.+...<.....H....B5Y....>2L.7y...g...J.f...~.K..!.....2.......SMj8..(A@..../. K.d.p...6".).o9*.>.|.........J".w....*.-.P....r...=.....9. ...f..X......3.qB..Z.f.sY.......P.i..fy...]...$!b.x.A..?.+=.............................................................................................vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.SKYPEFB_ONLINE.16.1033.hxn

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:OpenPGP Public Key
                            Category:dropped
                            Size (bytes):718
                            Entropy (8bit):6.814610316754448
                            Encrypted:false
                            SSDEEP:
                            MD5:E4F9A48717CB5C07E7C157B75A145A20
                            SHA1:801D94452EF7E5859764A37BCB9E8E69E4911A65
                            SHA-256:29A8C036D853FE0B15B0C11280AE8654674E24D834C5AB9B805071DC853F126B
                            SHA-512:C9546759BF3C8548AECC7C8234890556FA6D2AEF1B0E0264C48ACBE48F397AC6BCCBD6DB251720D1C426B68EB1F573559BF44ED51DC842EDA0E2472D45B75C36
                            Malicious:false
                            Preview:...v.c..\.......s.z..V..h....'......y:.8Xz>.=.Q}..\....(#`.....vJc.........s.zp....h....?.......y!.7Xp>.=.Qk..\....a#}....vWc..\.......w.z?.V..h....l........y~.gX.>.=.Q4..\....#o.....vhc..=.......s.z[.%..h....T.......y...XG>.=.Q[..\....g#U.....vjc.........s.z..`..h...._.......y;.]Xi>.=.Q[..\....E#......vjc..|......s.zb....h...........yX.(XS>.=.QW..\....N#U...c.e.1.6.\.1.0.3.3.\.....g.e..t...w.G.Z...A......G..C..g.4..A.........A.........&Y9..].).N7.j....B.h..m.]_}.3...`s..bu3..eqz.th..f..&.;M....P.n..g$K..m..k..h.r.h....4H/..<v....l....k.m.3.....4....~.E..+.z.#..lb_..O.U....S.............................................................................................vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.SKYPEFB_ONLINE.16.1033.hxn.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:OpenPGP Public Key
                            Category:dropped
                            Size (bytes):718
                            Entropy (8bit):6.814610316754448
                            Encrypted:false
                            SSDEEP:
                            MD5:E4F9A48717CB5C07E7C157B75A145A20
                            SHA1:801D94452EF7E5859764A37BCB9E8E69E4911A65
                            SHA-256:29A8C036D853FE0B15B0C11280AE8654674E24D834C5AB9B805071DC853F126B
                            SHA-512:C9546759BF3C8548AECC7C8234890556FA6D2AEF1B0E0264C48ACBE48F397AC6BCCBD6DB251720D1C426B68EB1F573559BF44ED51DC842EDA0E2472D45B75C36
                            Malicious:false
                            Preview:...v.c..\.......s.z..V..h....'......y:.8Xz>.=.Q}..\....(#`.....vJc.........s.zp....h....?.......y!.7Xp>.=.Qk..\....a#}....vWc..\.......w.z?.V..h....l........y~.gX.>.=.Q4..\....#o.....vhc..=.......s.z[.%..h....T.......y...XG>.=.Q[..\....g#U.....vjc.........s.z..`..h...._.......y;.]Xi>.=.Q[..\....E#......vjc..|......s.zb....h...........yX.(XS>.=.QW..\....N#U...c.e.1.6.\.1.0.3.3.\.....g.e..t...w.G.Z...A......G..C..g.4..A.........A.........&Y9..].).N7.j....B.h..m.]_}.3...`s..bu3..eqz.th..f..&.;M....P.n..g$K..m..k..h.r.h....4H/..<v....l....k.m.3.....4....~.E..+.z.#..lb_..O.U....S.............................................................................................vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.SKYPEFB_ONLINEG.16.1033.hxn

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):724
                            Entropy (8bit):6.867487313271094
                            Encrypted:false
                            SSDEEP:
                            MD5:C235E90DB628D821FB7C14F6D4DCFCA3
                            SHA1:23335A20C1290895EE0023B3828B6143D6435543
                            SHA-256:B2ED2D7C78ACA91C0AC2B5C58BD24F3C0D284F11C7079501A3F5CA8695DD6754
                            SHA-512:346B42B69DCC0538F782229BAF94D1658B36C98B412707C8A8E87C1F6B1C50CFCF3737366F28A22B18A9137A4C0E630F54AD3EB270B9A6345F31D5477BD1DB4D
                            Malicious:false
                            Preview:.F..}.q:gO........&..||....E..z.K...cVe}&.`,.d..TO.......7.5..F..-.4:!O.......&..2|@...8..z.K..c.el&.`:.z..T@.......{./..F..:._:/O.......&..ux......z.K...c.e?&.`c.,..T..........7.%..F..-..:.O......&...|i...e.z.K...c&e.&.`..C..Tt........C.F..F.....:.O.......&...|`... ..z.K...c#ec&.`c.i..TZ........E....F..;..:.O.......&..J|,...[..z.K...cceP&.`.....T`.......k.).f.f.i.c.e.1.6.\.1.0.3.3.\...,..[.G.=U{..6...Z..._k...1F.E...!.egY"....]-...........(_..6A.......|.-.......e~..a...QH.....2.....?.xn....!.G.....fX....@....6X./...B.H.7.!x.:..#V..Q_e......TcP.K.Tam@.R.a|..;a.U.u,._0w].5(................................................................................................vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.SKYPEFB_ONLINEG.16.1033.hxn.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):724
                            Entropy (8bit):6.867487313271094
                            Encrypted:false
                            SSDEEP:
                            MD5:C235E90DB628D821FB7C14F6D4DCFCA3
                            SHA1:23335A20C1290895EE0023B3828B6143D6435543
                            SHA-256:B2ED2D7C78ACA91C0AC2B5C58BD24F3C0D284F11C7079501A3F5CA8695DD6754
                            SHA-512:346B42B69DCC0538F782229BAF94D1658B36C98B412707C8A8E87C1F6B1C50CFCF3737366F28A22B18A9137A4C0E630F54AD3EB270B9A6345F31D5477BD1DB4D
                            Malicious:false
                            Preview:.F..}.q:gO........&..||....E..z.K...cVe}&.`,.d..TO.......7.5..F..-.4:!O.......&..2|@...8..z.K..c.el&.`:.z..T@.......{./..F..:._:/O.......&..ux......z.K...c.e?&.`c.,..T..........7.%..F..-..:.O......&...|i...e.z.K...c&e.&.`..C..Tt........C.F..F.....:.O.......&...|`... ..z.K...c#ec&.`c.i..TZ........E....F..;..:.O.......&..J|,...[..z.K...cceP&.`.....T`.......k.).f.f.i.c.e.1.6.\.1.0.3.3.\...,..[.G.=U{..6...Z..._k...1F.E...!.egY"....]-...........(_..6A.......|.-.......e~..a...QH.....2.....?.xn....!.G.....fX....@....6X./...B.H.7.!x.:..#V..Q_e......TcP.K.Tam@.R.a|..;a.U.u,._0w].5(................................................................................................vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.SPREADSHEETCOMPARE.16.1033.hxn

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):750
                            Entropy (8bit):6.772210579822816
                            Encrypted:false
                            SSDEEP:
                            MD5:749BA8337DFFDCA13839938842ED1637
                            SHA1:AC07E160D2A304C0D787669E59D6F4B4106C12A2
                            SHA-256:109E3074600F006FAE4B7C55750A543C2E3387BECEB8A757D02691DC6E3939B9
                            SHA-512:D4000AA614C1C0A1C5FD1175BECF54287DC42389BBEB3A5BDACA7B0C2AE19FDD2F770E48A446BB9A4EAF111D445331E82A7097B87C4E379C842197361B45B971
                            Malicious:false
                            Preview:/..C...ZE...T....)..z..+LB..........h..S.1.U..f.....{....H...CW...(E..T...A..z..{L..;.....*.....S31.U..%....._....HX.Ca....E.T...H..z..!L..,......X...2..SJ1.U..%......:....H-..C...[E...T.......z.}L-.3.....x..R..S.1.U............HB.Cv...)E..T...f..z..fL!.1.....>..X..Sz1.U..a....._....H[..CG...E...T...[..z./L..=.....x...C..S}1.U..h.....U....Hf.t. .O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.D.C.F.\.e.n.\...'...6....... .&A....M.l.m..`..V.0........T....a..~.D........gV.{...y}.o...:.M...H.c........QN...v.;f.0.....M...............=..Q.N..a....wq.G.e...y.....f ......=.5..S.r...F..s..Z7...*.J...x....a.P.............................................................................................vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.SPREADSHEETCOMPARE.16.1033.hxn.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):750
                            Entropy (8bit):6.772210579822816
                            Encrypted:false
                            SSDEEP:
                            MD5:749BA8337DFFDCA13839938842ED1637
                            SHA1:AC07E160D2A304C0D787669E59D6F4B4106C12A2
                            SHA-256:109E3074600F006FAE4B7C55750A543C2E3387BECEB8A757D02691DC6E3939B9
                            SHA-512:D4000AA614C1C0A1C5FD1175BECF54287DC42389BBEB3A5BDACA7B0C2AE19FDD2F770E48A446BB9A4EAF111D445331E82A7097B87C4E379C842197361B45B971
                            Malicious:false
                            Preview:/..C...ZE...T....)..z..+LB..........h..S.1.U..f.....{....H...CW...(E..T...A..z..{L..;.....*.....S31.U..%....._....HX.Ca....E.T...H..z..!L..,......X...2..SJ1.U..%......:....H-..C...[E...T.......z.}L-.3.....x..R..S.1.U............HB.Cv...)E..T...f..z..fL!.1.....>..X..Sz1.U..a....._....H[..CG...E...T...[..z./L..=.....x...C..S}1.U..h.....U....Hf.t. .O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.D.C.F.\.e.n.\...'...6....... .&A....M.l.m..`..V.0........T....a..~.D........gV.{...y}.o...:.M...H.c........QN...v.;f.0.....M...............=..Q.N..a....wq.G.e...y.....f ......=.5..S.r...F..s..Z7...*.J...x....a.P.............................................................................................vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.WINWORD.16.1033.hxn

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):676
                            Entropy (8bit):6.8077260440417895
                            Encrypted:false
                            SSDEEP:
                            MD5:F015081E6ACA0FA9FABE7E830D8E704F
                            SHA1:9A8AD11881182C1B08B5C6E3EE7F159AF345AB77
                            SHA-256:04166E923EA842338B2BAF405563B7AC6EC1E51DF803852BDF57CBE217F339DB
                            SHA-512:F49E20047041B83B7AA758BBB66FBACCA92D65BEAEABD8488C5031C48DF6FDDCC0B091C5FE80A90E6D011FC99851ED2F33B75193A2803FFA2AA069012F7CF5DA
                            Malicious:false
                            Preview:..~....DP....;.D)..N.(........W..|........:E.G7....Kp;...k.s..Z..-....D.....;.Dc..N.(....S...DW.+.S.M.L..:E..7..B..pt._./.]..Z.......DP....;.D...N.(...l..%W......-. ..:6.07..:.$pB.v.s....Z.......D?....;.Dc..N.(...n....W..M.:.'.)..:s.L7..r./pG...C.]..Z.."...D?....;.DA..N.(...n..dW.S.k.r.e..:..y7..0.sp..0.I.)..ZO.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.1.0.3.3.\...R.#{.Yt.. .K..K9.....<.Q.+.:r.l.o.f.g.*.gt..n.."NX.h.R.,FP.!......'E.Y..!..K2.......9..`!Ax...8...@u....B....^...%.......a3.b../[^.|.*'=.p.L..t...m..q}.4...!.........]4+8(.(..l..v....g,.1.i......................................................................................@.........vux2f891j9j.

                            C:\ProgramData\Microsoft Help\MS.WINWORD.16.1033.hxn.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):676
                            Entropy (8bit):6.8077260440417895
                            Encrypted:false
                            SSDEEP:
                            MD5:F015081E6ACA0FA9FABE7E830D8E704F
                            SHA1:9A8AD11881182C1B08B5C6E3EE7F159AF345AB77
                            SHA-256:04166E923EA842338B2BAF405563B7AC6EC1E51DF803852BDF57CBE217F339DB
                            SHA-512:F49E20047041B83B7AA758BBB66FBACCA92D65BEAEABD8488C5031C48DF6FDDCC0B091C5FE80A90E6D011FC99851ED2F33B75193A2803FFA2AA069012F7CF5DA
                            Malicious:false
                            Preview:..~....DP....;.D)..N.(........W..|........:E.G7....Kp;...k.s..Z..-....D.....;.Dc..N.(....S...DW.+.S.M.L..:E..7..B..pt._./.]..Z.......DP....;.D...N.(...l..%W......-. ..:6.07..:.$pB.v.s....Z.......D?....;.Dc..N.(...n....W..M.:.'.)..:s.L7..r./pG...C.]..Z.."...D?....;.DA..N.(...n..dW.S.k.r.e..:..y7..0.sp..0.I.)..ZO.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.1.0.3.3.\...R.#{.Yt.. .K..K9.....<.Q.+.:r.l.o.f.g.*.gt..n.."NX.h.R.,FP.!......'E.Y..!..K2.......9..`!Ax...8...@u....B....^...%.......a3.b../[^.|.*'=.p.L..t...m..q}.4...!.........]4+8(.(..l..v....g,.1.i......................................................................................@.........vux2f891j9j.

                            C:\ProgramData\Microsoft Help\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\ProgramData\Microsoft Help\nslist.hxl

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):6576
                            Entropy (8bit):5.579206916885159
                            Encrypted:false
                            SSDEEP:
                            MD5:EA83F570FB4CF0BB4EC7FC0F79E367AA
                            SHA1:2E22B61B03E8D5C6990FCA2BB04E187A397758C8
                            SHA-256:627F4424FF323FB66F4FB975428D49523AAA2275991259BBA1806B9A96DACE99
                            SHA-512:3D0CC035C88F421C76D3F6706AEF7FC5D22C70B6AD0E2B85DB3212CE4FE9B3B3F10AE2A290AE8080CB376745F99ADB99F2FC397BC68AE0BE1412385AA360875C
                            Malicious:false
                            Preview:.m....2.".#....... .}&.]4...]_;..SJ.9..{.g.2j5..R.C..F.I6.{.s.3.....C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.1.0.3.3.\.M.S.A.C.C.E.S..mP..\2.".#.....f .|k..4i..]c;.qJ.9$...e..j..7R.C..P.*6....`.(.E.n.g.l.i.s.h.). .2.0.1.6. .-. .P.r.o.d.u.c.t. .H.e.l.p..... ...$...M.S...O.N.E.N.O.T.E...1.6...1.0.3.3.....C.:.\.P.r.o.g.r.a..m/..z2.".#.....z .|..R4V..]e;..lJ.9#.W.B..jF..R.C.....6......f.f.i.c.e.1.6.\.1.0.3.3.\.O.N.E.N.O.T.E._.C.O.L...H.X.C.f...M.i.c.r.o.s.o.f.t. .O.n.e.N.o.t.e. .M.U.I. .(.E.n.g.l.i.s.h.). .2.0..m9..>2.".#.....w .|R.[4B..]`;..J.9l.8...wj+..R.C..1.36......S.E.C.O.M.P.A.R.E...1.6...1.0.3.3.....C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.O.f.f.i.c..m>...O2.".#......l .|b..4~..]n;.mJ.9..W.I..j.. R.C.....6..e.(.x.c.^...M.i.c.r.o.s.o.f.t. .D.C.F. .M.U.I. .(.E.n.g.l.i.s.h.). .2.0.1.6. .-. .P.r.o.d.u.c.t. .H.e.l.p.....H...:...M.S...S.P.R.E..mK..[2.".#.....O .|g.)4O..]=;..0J.9`.

                            C:\ProgramData\Microsoft Help\nslist.hxl.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):6576
                            Entropy (8bit):5.579206916885159
                            Encrypted:false
                            SSDEEP:
                            MD5:EA83F570FB4CF0BB4EC7FC0F79E367AA
                            SHA1:2E22B61B03E8D5C6990FCA2BB04E187A397758C8
                            SHA-256:627F4424FF323FB66F4FB975428D49523AAA2275991259BBA1806B9A96DACE99
                            SHA-512:3D0CC035C88F421C76D3F6706AEF7FC5D22C70B6AD0E2B85DB3212CE4FE9B3B3F10AE2A290AE8080CB376745F99ADB99F2FC397BC68AE0BE1412385AA360875C
                            Malicious:false
                            Preview:.m....2.".#....... .}&.]4...]_;..SJ.9..{.g.2j5..R.C..F.I6.{.s.3.....C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.1.0.3.3.\.M.S.A.C.C.E.S..mP..\2.".#.....f .|k..4i..]c;.qJ.9$...e..j..7R.C..P.*6....`.(.E.n.g.l.i.s.h.). .2.0.1.6. .-. .P.r.o.d.u.c.t. .H.e.l.p..... ...$...M.S...O.N.E.N.O.T.E...1.6...1.0.3.3.....C.:.\.P.r.o.g.r.a..m/..z2.".#.....z .|..R4V..]e;..lJ.9#.W.B..jF..R.C.....6......f.f.i.c.e.1.6.\.1.0.3.3.\.O.N.E.N.O.T.E._.C.O.L...H.X.C.f...M.i.c.r.o.s.o.f.t. .O.n.e.N.o.t.e. .M.U.I. .(.E.n.g.l.i.s.h.). .2.0..m9..>2.".#.....w .|R.[4B..]`;..J.9l.8...wj+..R.C..1.36......S.E.C.O.M.P.A.R.E...1.6...1.0.3.3.....C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.O.f.f.i.c..m>...O2.".#......l .|b..4~..]n;.mJ.9..W.I..j.. R.C.....6..e.(.x.c.^...M.i.c.r.o.s.o.f.t. .D.C.F. .M.U.I. .(.E.n.g.l.i.s.h.). .2.0.1.6. .-. .P.r.o.d.u.c.t. .H.e.l.p.....H...:...M.S...S.P.R.E..mK..[2.".#.....O .|g.)4O..]=;..0J.9`.

                            C:\ProgramData\Microsoft OneDrive\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\ProgramData\Oracle\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\ProgramData\Package Cache\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\ProgramData\SoftwareDistribution\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\ProgramData\USOPrivate\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\ProgramData\USOShared\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\ProgramData\WindowsHolographicDevices\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\ProgramData\dbg\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\ProgramData\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\ProgramData\regid.1991-06.com.microsoft\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Microsoft Office Professional Plus 2016.swidtag

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1379
                            Entropy (8bit):7.557302143356937
                            Encrypted:false
                            SSDEEP:
                            MD5:048F8A355BEB07AE66E6308EB91C811C
                            SHA1:0F5EBAF68E50B56010A5B115C56D24EC4FE3C78D
                            SHA-256:F465435F462AD9533DBF036562B225803D3D4EC13C76220E9393F3FDEE23E353
                            SHA-512:0755959AA044288ED0C5F5152D9B4B37CBCA29612FDE677338CAD98F1B073FC48B6BC0F9768C72159AC758CCF48E3DC3D8C264D3FA576968C739177C503875EE
                            Malicious:false
                            Preview:.....;..G.#......u...r..]..t...?../....l.*q......6...A..;y_~.aVi...:..QJr......t.y..@..4...d..e.C....| .F....m.....=uJ9.|m?...#..N.=....P.*.r..[..s..%..v._...+c.....1...P..*}OH.amt..%.R.?....}.2.)..Q..i..j..d.I...*q.....>...Y...j(.!. yo....#..K.<....P.?.H..@..u...$..g....`.q%.@...n..T...dv^z.}`~...=...Ff...H.)..~..@..&..$..<.H..<.{#.@..*........qN`.>9-....2..G.n...O.)...+..@..o...<..q.E.l.*q......<...A...dvJz.1Dt..8...4?....C.2..8.._.&..#..p.M..~.|..[..0...\...+wMc. {x...]k..M.$....}.)...x.....|...8..n.I..#.7)..........Z..,8hx..fo....9.L.=....G.2..r..V..#..z.a.G..9.7x......-...Q..+wMc.n{x...2..M.n....V.:.~.....s......<....`.u'.F...o.....h5.'.?9-...R.....>....}.?..v..Q..{.....e.N..5.,s.G...o..Z...1{Yx.`oi...0..P.1....P.<...+..]..m......<.^....7r....1......*wXx.{)^....%..K.>...O.e...p.....}...{.3....3.(9......0.....1|.+.{hz...6..PIl....L.>...y..@..n..t..c.u.. .eo....7....../o.c.h.|.M8....&....G.(...d..A.$...&..c.C.

                            C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Microsoft Office Professional Plus 2016.swidtag.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1379
                            Entropy (8bit):7.557302143356937
                            Encrypted:false
                            SSDEEP:
                            MD5:048F8A355BEB07AE66E6308EB91C811C
                            SHA1:0F5EBAF68E50B56010A5B115C56D24EC4FE3C78D
                            SHA-256:F465435F462AD9533DBF036562B225803D3D4EC13C76220E9393F3FDEE23E353
                            SHA-512:0755959AA044288ED0C5F5152D9B4B37CBCA29612FDE677338CAD98F1B073FC48B6BC0F9768C72159AC758CCF48E3DC3D8C264D3FA576968C739177C503875EE
                            Malicious:false
                            Preview:.....;..G.#......u...r..]..t...?../....l.*q......6...A..;y_~.aVi...:..QJr......t.y..@..4...d..e.C....| .F....m.....=uJ9.|m?...#..N.=....P.*.r..[..s..%..v._...+c.....1...P..*}OH.amt..%.R.?....}.2.)..Q..i..j..d.I...*q.....>...Y...j(.!. yo....#..K.<....P.?.H..@..u...$..g....`.q%.@...n..T...dv^z.}`~...=...Ff...H.)..~..@..&..$..<.H..<.{#.@..*........qN`.>9-....2..G.n...O.)...+..@..o...<..q.E.l.*q......<...A...dvJz.1Dt..8...4?....C.2..8.._.&..#..p.M..~.|..[..0...\...+wMc. {x...]k..M.$....}.)...x.....|...8..n.I..#.7)..........Z..,8hx..fo....9.L.=....G.2..r..V..#..z.a.G..9.7x......-...Q..+wMc.n{x...2..M.n....V.:.~.....s......<....`.u'.F...o.....h5.'.?9-...R.....>....}.?..v..Q..{.....e.N..5.,s.G...o..Z...1{Yx.`oi...0..P.1....P.<...+..]..m......<.^....7r....1......*wXx.{)^....%..K.>...O.e...p.....}...{.3....3.(9......0.....1|.+.{hz...6..PIl....L.>...y..@..n..t..c.u.. .eo....7....../o.c.h.|.M8....&....G.(...d..A.$...&..c.C.

                            C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1307
                            Entropy (8bit):7.5381968664630135
                            Encrypted:false
                            SSDEEP:
                            MD5:DF3F1F0C89883E394A7A06D6DA4EDC67
                            SHA1:D472902A94D40ABABE3D354C549001CE8AAF9EB2
                            SHA-256:7901F445977D208F9D907F608E4F1E7DC8B703CE6FEB519651EA14609199CABF
                            SHA-512:A5A14912B2CDE41D90B3170FF7BAFCD82725510770BFD2F99D336DA5C8DDA1D4D1448B056052933DD20F55B40E53F1B9B0522E0669839EEF9B6CF7A393931CAD
                            Malicious:false
                            Preview:f+.....LR..@.GG8..Z...;....Y.._U.....l.D.,lG..2C.E.=.#..&R..]...4v.......\...>^......*....B...S...E|.:.?....u....fLv..<W..Q...)M..d*{..\.G\:O......;....U....D..M!.=.ez..+V.T.1.#...F..I...>v...I...]..%\#.....=....D..*I..Qs.y.@mG..5P.D.7...;X..1u..*[...C...W.]A9D.f...0......S.....b.f.qrM..O+...!.#.,...5v..7H....C...OB9X.f...b....B..RM...^.@..#J..)F...eOr..-A..XA..S ...E...E...yX....S.......R..(Z.f.bpL..1}.E.'.)..B>..O...-H..6C...F.\.[ .b...;...B....T...R<.(.ypF..+C.E.YvO..=Q..XA..=@..X.K....K9G.....-........D....|.&.dhI...A.E. .4..E=.S...;[...I...A.\.[ .b...;...B....T...R<.(.ypF..+C.E.YvO..=Q..XA..=@..X.K....K9G.....-........D....|.&.dhI...N.C.:.)..B>..O...-H..6I..8.'.#D.....:...T...P....Mo.<.yn]..,F.-.]uz.(k..Y...(v...I...W.GLx..R...p....]....S.....'...smM..*P.R.3."..E=..O...-H..6I..8..\7M.....1...9...M...A!.:.vk...7R.R. .)..`Z..YA..S ...G...@.IA2..R....h.........O....|.,.y{...L..T.3#%..@...r.</software_identification_tag>......-..

                            C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1307
                            Entropy (8bit):7.5381968664630135
                            Encrypted:false
                            SSDEEP:
                            MD5:DF3F1F0C89883E394A7A06D6DA4EDC67
                            SHA1:D472902A94D40ABABE3D354C549001CE8AAF9EB2
                            SHA-256:7901F445977D208F9D907F608E4F1E7DC8B703CE6FEB519651EA14609199CABF
                            SHA-512:A5A14912B2CDE41D90B3170FF7BAFCD82725510770BFD2F99D336DA5C8DDA1D4D1448B056052933DD20F55B40E53F1B9B0522E0669839EEF9B6CF7A393931CAD
                            Malicious:false
                            Preview:f+.....LR..@.GG8..Z...;....Y.._U.....l.D.,lG..2C.E.=.#..&R..]...4v.......\...>^......*....B...S...E|.:.?....u....fLv..<W..Q...)M..d*{..\.G\:O......;....U....D..M!.=.ez..+V.T.1.#...F..I...>v...I...]..%\#.....=....D..*I..Qs.y.@mG..5P.D.7...;X..1u..*[...C...W.]A9D.f...0......S.....b.f.qrM..O+...!.#.,...5v..7H....C...OB9X.f...b....B..RM...^.@..#J..)F...eOr..-A..XA..S ...E...E...yX....S.......R..(Z.f.bpL..1}.E.'.)..B>..O...-H..6C...F.\.[ .b...;...B....T...R<.(.ypF..+C.E.YvO..=Q..XA..=@..X.K....K9G.....-........D....|.&.dhI...A.E. .4..E=.S...;[...I...A.\.[ .b...;...B....T...R<.(.ypF..+C.E.YvO..=Q..XA..=@..X.K....K9G.....-........D....|.&.dhI...N.C.:.)..B>..O...-H..6I..8.'.#D.....:...T...P....Mo.<.yn]..,F.-.]uz.(k..Y...(v...I...W.GLx..R...p....]....S.....'...smM..*P.R.3."..E=..O...-H..6I..8..\7M.....1...9...M...A!.:.vk...7R.R. .)..`Z..YA..S ...G...@.IA2..R....h.........O....|.,.y{...L..T.3#%..@...r.</software_identification_tag>......-..

                            C:\Users\Default\NTUSER.DAT

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):262458
                            Entropy (8bit):4.961308928093909
                            Encrypted:false
                            SSDEEP:
                            MD5:A43903B2B30221710CCA57F19B39D8F4
                            SHA1:6BF38E8F635F31099AB940EF60B927CCBF1903B8
                            SHA-256:279B546A26A61333C638B637CE015DFD0146C5559889FE5D69ED2D077E0F2FAA
                            SHA-512:9A6429EA3DEC1E25E2D0234F71901E935EDEA17EB139B9ACF3ED793021A22C2E43F6D98773298B1C5C81E751CDCD4A388014C0F9162776E91492FA7C914F6AA7
                            Malicious:false
                            Preview:....n.".z.~.~.,.WC...75...I...a6?'3]i>.F.E..Y`S.'.....P......]s.e.r.s.\.D.e.f.a.u.l.t.\.N.T.U.S.E.R...D.A.T........=....|...?P.....=....|...?P.........=....|...?Prmtm.u|.,..OfRg................n.".z.~.~.,.WC...75...I...`6?'.]i>...E..Y`....%.F...9....]....................................................................................................................................n.".z.~.~.,.WC...75...I...`6?'.]i>...E..Y`....%.F...9....].............................................................w......................................................................n.".z.~.~.,.WC...75...I...`6?'.]i>...E..Y`....%.F...9....]....................................................................................................................................n.".z.~.~.,.WC...75...I...`6?'.]i>...E..Y`....%.F...9....]....................................................................................................................................n.".z.~.~.,.WC...75...I...`6?'.]i>

                            C:\Users\Default\NTUSER.DAT.7878kr5jx (copy)

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):262458
                            Entropy (8bit):4.961308928093909
                            Encrypted:false
                            SSDEEP:
                            MD5:A43903B2B30221710CCA57F19B39D8F4
                            SHA1:6BF38E8F635F31099AB940EF60B927CCBF1903B8
                            SHA-256:279B546A26A61333C638B637CE015DFD0146C5559889FE5D69ED2D077E0F2FAA
                            SHA-512:9A6429EA3DEC1E25E2D0234F71901E935EDEA17EB139B9ACF3ED793021A22C2E43F6D98773298B1C5C81E751CDCD4A388014C0F9162776E91492FA7C914F6AA7
                            Malicious:false
                            Preview:....n.".z.~.~.,.WC...75...I...a6?'3]i>.F.E..Y`S.'.....P......]s.e.r.s.\.D.e.f.a.u.l.t.\.N.T.U.S.E.R...D.A.T........=....|...?P.....=....|...?P.........=....|...?Prmtm.u|.,..OfRg................n.".z.~.~.,.WC...75...I...`6?'.]i>...E..Y`....%.F...9....]....................................................................................................................................n.".z.~.~.,.WC...75...I...`6?'.]i>...E..Y`....%.F...9....].............................................................w......................................................................n.".z.~.~.,.WC...75...I...`6?'.]i>...E..Y`....%.F...9....]....................................................................................................................................n.".z.~.~.,.WC...75...I...`6?'.]i>...E..Y`....%.F...9....]....................................................................................................................................n.".z.~.~.,.WC...75...I...`6?'.]i>

                            C:\Users\Default\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Users\Public\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Users\user\AppData\Local\Temp\fkdjsadasd.ico

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:MS Windows icon resource - 1 icon, 64x64, 32 bits/pixel
                            Category:dropped
                            Size (bytes):16958
                            Entropy (8bit):2.9616661784314777
                            Encrypted:false
                            SSDEEP:
                            MD5:A1FAD2EA0C8FCBD0875248172BB457E8
                            SHA1:648F40B1CC77AB6B34013F696F1C07D7ADF303CF
                            SHA-256:2E6C63AB7769F3F7EA2F3622A865D857ECB14D7F2DDBD4AB64E15B6C3DC5E14A
                            SHA-512:034DC081B23FC5A42D23AA3CB76A50A329BAD1BC79CCF37A33C9C78CC642D941AE22649879AC43F87077000711CEF0FBECE27C80313F83C53195084CFE6528F2
                            Malicious:false
                            Preview:......@@.... .(B......(...@......... ......@....................0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...2...0...0...2...0...2...0...0...0...0...0...0...2...0...0...0...0...2...0...2...0...0...0...0...0...0...0...0...2...0...0...0...2...0...0...2...2...0...0...0...2...0...0...0...0...2...0...0...0...2...0...0...0...2...0...0...0...2...0...0...2...0...0...2...0...2...2...0...0...0...0...2...0...2...0...0...0...0...0...0...0...0...0...0...2...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...2...0...0...0...0...2...0...0...0...0...2...0...2...0...0...0...0...0...0...0...2...0...0...0...0...2...0...0...0...0...0...0...0...0...0...0...0.......0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0.......0...0...0...0...0...0...0...0...0...0.......

                            C:\Users\user\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\Users\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            C:\instructions_read_me.txt

                            Download File
                            Process:C:\Users\user\Desktop\HkObDPju6Z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1091
                            Entropy (8bit):4.804750185554599
                            Encrypted:false
                            SSDEEP:
                            MD5:BA21D49977850F54961EDE73B7E9E480
                            SHA1:BD630B3DBE9D7139527C1FFDBB2161E7A9067AE0
                            SHA-256:34757273C5E041F07B0352C51CFAB2998AB676F3A39BC0F16A1B4D68F3FAC4F8
                            SHA-512:4BF9BE5F41F7258357E838BA94F0AA2B7F17D8FE3266174AAF123156B422C4FB72E4D3FD36DB7B2E3E9D13202202D2A6B0ECCA06EE2A2A043CE6AD27FFD751E2
                            Malicious:false
                            Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: 26d371a9-efda-4e82-9989-01e292244d65......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.044268283359809
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.94%
                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:HkObDPju6Z.exe
                            File size:1489920
                            MD5:6441d7260944bcedc5958c5c8a05d16d
                            SHA1:46257982840493eca90e051ff1749e7040895584
                            SHA256:723d1cf3d74fb3ce95a77ed9dff257a78c8af8e67a82963230dd073781074224
                            SHA512:af88fd3a0a2728c811be524feee575d8d2d9623b7944021c83173e40dbec6b1fbe7bea64dcdd8f1dbebc7d8df76b40e5c9647e2586316ea46ceb191ebcf14d89
                            SSDEEP:24576:1p2gwjk6ikYhJ9lvGnYZvy48/V33ck7LnBAyldFu8hod/Qodly:1AgxkmvGnYWccjBAwFadRd
                            TLSH:9B65D000B680C036FA722870556AABB2897EBC30976555CF23C43D7B6E726D19D3672F
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......W.....................L.......7............@..........................P............@................................

                            File Icon

                            Icon Hash:3fc7a3c665f3c37d

                            Static PE Info

                            General

                            Entrypoint:0x4237d9
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Time Stamp:0x5717C407 [Wed Apr 20 18:01:43 2016 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:6
                            OS Version Minor:0
                            File Version Major:6
                            File Version Minor:0
                            Subsystem Version Major:6
                            Subsystem Version Minor:0
                            Import Hash:e7481059b799ac586859298d4788584d

                            Entrypoint Preview

                            Instruction
                            call 00007F0D4C6EC74Dh
                            jmp 00007F0D4C6EBEA8h
                            retn 0000h
                            push ebp
                            mov ebp, esp
                            mov eax, dword ptr [ebp+08h]
                            mov eax, dword ptr [eax]
                            pop ebp
                            ret
                            push ebp
                            mov ebp, esp
                            mov eax, dword ptr [ebp+08h]
                            mov eax, dword ptr [eax]
                            pop ebp
                            ret
                            push ebp
                            mov ebp, esp
                            mov eax, dword ptr [ebp+08h]
                            mov edx, 0048E840h
                            mov ecx, 0048E840h
                            sub eax, edx
                            sub ecx, edx
                            cmp eax, ecx
                            jnbe 00007F0D4C6EC083h
                            int3
                            pop ebp
                            ret
                            push ebp
                            mov ebp, esp
                            mov eax, dword ptr [ebp+08h]
                            mov edx, 0048E840h
                            mov ecx, 0048E840h
                            sub eax, edx
                            sub ecx, edx
                            cmp eax, ecx
                            jnbe 00007F0D4C6EC087h
                            push 00000041h
                            pop ecx
                            int 29h
                            pop ebp
                            ret
                            retn 0000h
                            push ebp
                            mov ebp, esp
                            mov eax, dword ptr [ebp+08h]
                            mov edx, 0048E840h
                            mov ecx, 0048E840h
                            sub eax, edx
                            sub ecx, edx
                            cmp eax, ecx
                            jnbe 00007F0D4C6EC093h
                            cmp dword ptr [0047E620h], 00000000h
                            je 00007F0D4C6EC08Ah
                            mov eax, dword ptr [0047E620h]
                            pop ebp
                            jmp eax
                            pop ebp
                            ret
                            push ebp
                            mov ebp, esp
                            cmp dword ptr [0047E620h], 00000000h
                            je 00007F0D4C6EC08Ah
                            mov eax, dword ptr [0047E620h]
                            pop ebp
                            jmp eax
                            pop ebp
                            ret
                            push ebp
                            mov ebp, esp
                            mov eax, dword ptr [ebp+08h]
                            mov edx, 0048E840h
                            mov ecx, 0048E840h
                            sub eax, edx
                            sub ecx, edx
                            cmp ecx, eax
                            sbb eax, eax
                            inc eax
                            pop ebp
                            ret
                            push ebp
                            mov ebp, esp
                            mov ecx, dword ptr [ebp+08h]
                            mov eax, ecx
                            sub eax, dword ptr [ebp+0Ch]
                            sub eax, 0000E800h

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x90c700xf0.rdata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x11e0000x50378.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x16f0000x5110.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x8e7800x70.rdata
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x8e8800x18.rdata
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x855780x40.rdata
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x90b680x40.rdata
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x7c9ea0x7ca00False0.41879348984453363data6.631020869912357IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rdata0x7e0000x14e720x15000False0.5792178199404762data6.1426369171952455IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .data0x930000x8a5b00x84800False0.9093639445754716data7.357984406581138IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc0x11e0000x503780x50400False0.501323379088785data5.824284929352815IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x16f0000x51100x5200False0.784108231707317data6.756606998856607IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountry
                            RT_CURSOR0x1475880x134Targa image data 64 x 65536 x 1 +32 "\001"EnglishUnited States
                            RT_BITMAP0x1476d80x3c28Device independent bitmap graphic, 240 x 16 x 32, image size 15360, resolution 3779 x 3779 px/mEnglishUnited States
                            RT_BITMAP0x14b3000x428Device independent bitmap graphic, 16 x 16 x 32, image size 1024, resolution 3779 x 3779 px/mEnglishUnited States
                            RT_ICON0x11ec000x1011aPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                            RT_ICON0x12ed200x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States
                            RT_ICON0x13f5480x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States
                            RT_ICON0x1437700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States
                            RT_ICON0x145d180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States
                            RT_ICON0x146dc00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States
                            RT_ICON0x1472880x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512, 16 important colorsEnglishUnited States
                            RT_ICON0x14baf80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 0EnglishUnited States
                            RT_ICON0x15c3200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 0EnglishUnited States
                            RT_ICON0x1605480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States
                            RT_ICON0x162af00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States
                            RT_ICON0x163b980x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States
                            RT_ICON0x1640500x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States
                            RT_ICON0x1651100x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States
                            RT_ICON0x1661d00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States
                            RT_ICON0x1672900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States
                            RT_ICON0x1683500x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512, 16 important colorsEnglishUnited States
                            RT_ICON0x1686500x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States
                            RT_ICON0x1697100x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512, 16 important colorsEnglishUnited States
                            RT_MENU0x169a100x53edataEnglishUnited States
                            RT_DIALOG0x169f500x1a8dataEnglishUnited States
                            RT_DIALOG0x16a0f80x1b0dataEnglishUnited States
                            RT_DIALOG0x16a4800x1dcdataEnglishUnited States
                            RT_DIALOG0x16a6600x1dcdataEnglishUnited States
                            RT_DIALOG0x16a8400x130dataEnglishUnited States
                            RT_DIALOG0x16aaa00x210dataEnglishUnited States
                            RT_DIALOG0x16a2a80x1d4dataEnglishUnited States
                            RT_DIALOG0x16a9700x130dataEnglishUnited States
                            RT_DIALOG0x16bbe00x560dataEnglishUnited States
                            RT_DIALOG0x16c1400x244dataEnglishUnited States
                            RT_DIALOG0x16acb00x4a2dataEnglishUnited States
                            RT_DIALOG0x16b1580x4aedataEnglishUnited States
                            RT_DIALOG0x16b6080x3badataEnglishUnited States
                            RT_DIALOG0x16b9c80x218dataEnglishUnited States
                            RT_STRING0x16c9280xa6dataEnglishUnited States
                            RT_STRING0x16d5100x1e0Matlab v4 mat-file (little endian) i, numeric, rows 0, columns 0EnglishUnited States
                            RT_STRING0x16d7380x1b0dataEnglishUnited States
                            RT_STRING0x16c8000x124dataEnglishUnited States
                            RT_STRING0x16c9d00xb3edataEnglishUnited States
                            RT_STRING0x16c3880x478dataEnglishUnited States
                            RT_STRING0x16d6f00x48dataEnglishUnited States
                            RT_ACCELERATOR0x14b7280x1a0dataEnglishUnited States
                            RT_GROUP_CURSOR0x1476c00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                            RT_GROUP_ICON0x1472280x5aTarga image data - Map 32 x 282 x 1 +1EnglishUnited States
                            RT_GROUP_ICON0x1650f80x14dataEnglishUnited States
                            RT_GROUP_ICON0x1686380x14dataEnglishUnited States
                            RT_GROUP_ICON0x1672780x14dataEnglishUnited States
                            RT_GROUP_ICON0x1683380x14dataEnglishUnited States
                            RT_GROUP_ICON0x1696f80x14dataEnglishUnited States
                            RT_GROUP_ICON0x1661b80x14dataEnglishUnited States
                            RT_GROUP_ICON0x1699f80x14dataEnglishUnited States
                            RT_GROUP_ICON0x1475700x14dataEnglishUnited States
                            RT_GROUP_ICON0x1640000x4cdataEnglishUnited States
                            RT_VERSION0x14b8c80x22cdataEnglishUnited States
                            RT_MANIFEST0x16d8e80xa90XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (2644), with CRLF line terminatorsEnglishUnited States

                            Imports

                            DLLImport
                            SHLWAPI.dllPathGetDriveNumberW, StrCmpNIW, StrDupW, StrChrA, PathRelativePathToW, PathIsPrefixW, PathFindFileNameW, PathUnExpandEnvStringsW, PathIsRootW, PathCanonicalizeW, PathFindExtensionW, PathCommonPrefixW, PathCompactPathExW, PathRemoveExtensionW, StrFormatByteSizeW, PathStripPathW, PathRemoveBackslashW, StrRetToBufW, PathMatchSpecW, StrCatBuffW, PathUnquoteSpacesW, StrChrW, StrTrimW, SHAutoComplete, StrCpyNW, PathQuoteSpacesW, PathRenameExtensionW, PathIsDirectoryW, StrRChrW, PathAppendW, PathIsRelativeW, PathFileExistsW, PathAddBackslashW, PathRemoveFileSpecW, PathIsSameRootW
                            PSAPI.DLLEnumProcessModules, GetModuleFileNameExW
                            USER32.dllOffsetRect, OpenClipboard, BeginDeferWindowPos, GetSubMenu, TrackPopupMenu, LoadAcceleratorsW, DeleteMenu, ShowOwnedPopups, CopyImage, MessageBoxW, EqualRect, IsWindowVisible, ShowWindowAsync, GetMessagePos, LoadMenuW, CharUpperW, GetKeyState, DefWindowProcW, GetMenuItemInfoW, DeferWindowPos, GetMessageW, CloseClipboard, SetMenuItemInfoW, EmptyClipboard, RegisterClassW, SetWindowPlacement, FrameRect, SetMenuDefaultItem, EnumWindows, GetMessageTime, IntersectRect, SetFocus, BringWindowToTop, TranslateAcceleratorW, GetWindowDC, EndDeferWindowPos, SetClipboardData, CheckMenuItem, IsZoomed, KillTimer, PostQuitMessage, GetSysColorBrush, EnableMenuItem, RegisterWindowMessageW, UpdateWindow, IsIconic, GetWindowThreadProcessId, DrawAnimatedRects, FindWindowExW, GetDC, MonitorFromRect, SetActiveWindow, LoadStringA, SetWindowTextW, LoadStringW, DdeCreateStringHandleW, DdeConnect, GetMonitorInfoW, DdeInitializeW, SetTimer, SetWindowCompositionAttribute, SystemParametersInfoW, SetPropW, RedrawWindow, SendMessageW, wsprintfW, GetSysColor, CharPrevW, GetWindowPlacement, GetSystemMetrics, DdeUninitialize, DialogBoxIndirectParamW, DdeClientTransaction, SetLayeredWindowAttributes, CharUpperBuffW, SetRect, DdeDisconnect, SetForegroundWindow, LoadImageW, ReleaseDC, GetPropW, RemovePropW, DispatchMessageW, PeekMessageW, TranslateMessage, GetWindowLongW, GetWindowTextLengthW, GetSystemMenu, AdjustWindowRectEx, PostMessageW, CheckMenuRadioItem, GetWindowRect, GetFocus, DestroyWindow, SetWindowPos, CheckRadioButton, MessageBoxExW, CreateWindowExW, EndDialog, MessageBeep, CreatePopupMenu, WindowFromPoint, DestroyCursor, ShowWindow, DestroyIcon, GetDlgCtrlID, SetDlgItemTextW, MapWindowPoints, GetDlgItemTextW, SendDlgItemMessageW, IsWindowEnabled, IsDlgButtonChecked, DestroyMenu, GetMenuStringW, CharNextW, LoadIconW, LoadCursorW, GetClassNameW, SetCapture, InsertMenuW, SetCursor, SetWindowLongW, TrackPopupMenuEx, GetComboBoxInfo, GetClientRect, GetDlgItem, AppendMenuW, CheckDlgButton, GetParent, ReleaseCapture, InvalidateRect, ChildWindowFromPoint, GetCursorPos, EnableWindow, GetWindowTextW, DdeFreeStringHandle
                            KERNEL32.dllRaiseException, GetSystemInfo, VirtualQuery, GetModuleHandleW, LoadLibraryExA, EnterCriticalSection, LeaveCriticalSection, DecodePointer, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, WaitForSingleObjectEx, ReadConsoleW, GetConsoleMode, VirtualProtect, CompareStringOrdinal, FreeLibrary, LoadLibraryExW, ReadFile, lstrlenW, WriteFile, lstrcpynW, ExpandEnvironmentStringsW, GetModuleFileNameW, SetFilePointer, SetEndOfFile, UnlockFileEx, CreateFileW, GetSystemDirectoryW, MultiByteToWideChar, lstrcatW, CloseHandle, LockFileEx, GetFileSize, WideCharToMultiByte, lstrcpyW, lstrcmpiW, lstrcmpW, FlushFileBuffers, GetShortPathNameW, LocalAlloc, GetFileAttributesW, SetFileAttributesW, FormatMessageW, GetLastError, GetCurrentDirectoryW, LocalFree, WaitForSingleObject, CreateEventW, SetEvent, GlobalAlloc, GlobalFree, ResetEvent, SizeofResource, SearchPathW, GetLocaleInfoEx, FreeResource, OpenProcess, LockResource, LoadLibraryW, LoadResource, FindResourceW, GetWindowsDirectoryW, GetProcAddress, GlobalLock, GlobalUnlock, MulDiv, CreateDirectoryW, FindFirstFileW, GetCommandLineW, SetErrorMode, FindClose, GetUserPreferredUILanguages, FindFirstChangeNotificationW, GetVersion, ResolveLocaleName, GlobalSize, FileTimeToSystemTime, FindCloseChangeNotification, LoadLibraryA, FileTimeToLocalFileTime, FindNextChangeNotification, SetCurrentDirectoryW, GetTimeFormatW, ExitProcess, VerSetConditionMask, CopyFileW, VerifyVersionInfoW, GetDateFormatW, MapViewOfFile, CreateFileMappingW, LocaleNameToLCID, FindResourceExW, LCIDToLocaleName, UnmapViewOfFile, GetVersionExW, GetLocaleInfoW, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, SetLastError, UnhandledExceptionFilter, GetConsoleOutputCP, HeapReAlloc, HeapSize, SetFilePointerEx, GetFileSizeEx, GetStringTypeW, SetStdHandle, OutputDebugStringW, SetConsoleCtrlHandler, GetProcessHeap, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, LCMapStringW, CompareStringW, GetFileType, HeapAlloc, HeapFree, GetCurrentThread, GetStdHandle, GetModuleHandleExW, FreeLibraryAndExitThread, ResumeThread, ExitThread, CreateThread, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, EncodePointer, InterlockedFlushSList, InterlockedPushEntrySList, RtlUnwind, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, GetStartupInfoW, IsDebuggerPresent, IsProcessorFeaturePresent, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, WriteConsoleW
                            GDI32.dllGetStockObject, SetBkColor, ExtTextOutW, EnumFontsW, GetDeviceCaps, SetTextColor, GetObjectW, DeleteObject, CreateSolidBrush, CreateFontIndirectW
                            COMDLG32.dllGetSaveFileNameW, ChooseColorW, GetOpenFileNameW
                            ADVAPI32.dllRegOpenKeyExW, RegQueryValueExW, RegCloseKey
                            SHELL32.dllSHGetFolderPathW, SHGetSpecialFolderPathW, ShellExecuteW, SHCreateDirectoryExW, SHFileOperationW, SHBrowseForFolderW, SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHGetFileInfoW, SHGetDesktopFolder, SHAppBarMessage, DragQueryFileW, Shell_NotifyIconW, DragAcceptFiles, DragFinish, SHGetDataFromIDListW
                            ole32.dllOleUninitialize, CoCreateInstance, OleInitialize, CoUninitialize, CoTaskMemAlloc, CoTaskMemFree, CoInitialize, DoDragDrop
                            ntdll.dllRtlGetNtVersionNumbers
                            COMCTL32.dllImageList_AddMasked, InitCommonControlsEx, ImageList_Create, ImageList_Destroy, PropertySheetW

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States

                            Network Behavior

                            No network behavior found

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:21:16:58
                            Start date:12/06/2023
                            Path:C:\Users\user\Desktop\HkObDPju6Z.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Users\user\Desktop\HkObDPju6Z.exe
                            Imagebase:0x1f0000
                            File size:1489920 bytes
                            MD5 hash:6441D7260944BCEDC5958C5C8A05D16D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_BlackBasta, Description: Yara detected BlackBasta ransomware, Source: 00000000.00000003.371931160.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low

                            General

                            Target ID:1
                            Start time:21:17:06
                            Start date:12/06/2023
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                            Imagebase:0xb0000
                            File size:232960 bytes
                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:2
                            Start time:21:17:06
                            Start date:12/06/2023
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff745070000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:3
                            Start time:21:17:06
                            Start date:12/06/2023
                            Path:C:\Windows\System32\vssadmin.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                            Imagebase:0x7ff6484d0000
                            File size:145920 bytes
                            MD5 hash:47D51216EF45075B5F7EAA117CC70E40
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:6
                            Start time:21:17:17
                            Start date:12/06/2023
                            Path:C:\Users\user\Desktop\HkObDPju6Z.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\HkObDPju6Z.exe"
                            Imagebase:0x1f0000
                            File size:1489920 bytes
                            MD5 hash:6441D7260944BCEDC5958C5C8A05D16D
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_BlackBasta, Description: Yara detected BlackBasta ransomware, Source: 00000006.00000002.463365199.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low

                            General

                            Target ID:8
                            Start time:21:17:26
                            Start date:12/06/2023
                            Path:C:\Users\user\Desktop\HkObDPju6Z.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\HkObDPju6Z.exe"
                            Imagebase:0x1f0000
                            File size:1489920 bytes
                            MD5 hash:6441D7260944BCEDC5958C5C8A05D16D
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_BlackBasta, Description: Yara detected BlackBasta ransomware, Source: 00000008.00000002.477620370.0000000003220000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low

                            General

                            Target ID:10
                            Start time:21:17:40
                            Start date:12/06/2023
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                            Imagebase:0xb0000
                            File size:232960 bytes
                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:11
                            Start time:21:17:40
                            Start date:12/06/2023
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff745070000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:12
                            Start time:21:17:42
                            Start date:12/06/2023
                            Path:C:\Windows\System32\vssadmin.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                            Imagebase:0x7ff6484d0000
                            File size:145920 bytes
                            MD5 hash:47D51216EF45075B5F7EAA117CC70E40
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:13
                            Start time:21:17:47
                            Start date:12/06/2023
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                            Imagebase:0xb0000
                            File size:232960 bytes
                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:14
                            Start time:21:17:47
                            Start date:12/06/2023
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff745070000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language

                            General

                            Target ID:15
                            Start time:21:17:48
                            Start date:12/06/2023
                            Path:C:\Windows\System32\vssadmin.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                            Imagebase:0x7ff6484d0000
                            File size:145920 bytes
                            MD5 hash:47D51216EF45075B5F7EAA117CC70E40
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:1.4%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:34.4%
                              Total number of Nodes:433
                              Total number of Limit Nodes:18
                              execution_graph 32320 212c43 32323 212c6a InitializeCriticalSectionAndSpinCount GetModuleHandleW 32320->32323 32322 212c48 32324 212c8d GetModuleHandleW 32323->32324 32325 212c9e GetProcAddress GetProcAddress 32323->32325 32324->32325 32326 212ce4 32324->32326 32327 212cbc 32325->32327 32328 212cce CreateEventW 32325->32328 32330 212ceb DeleteCriticalSection 32326->32330 32327->32328 32329 212cc0 32327->32329 32328->32326 32328->32329 32329->32322 32331 212d00 CloseHandle 32330->32331 32332 212d07 32330->32332 32331->32332 32332->32322 32333 2574f3 32334 2574fc 32333->32334 32336 25752e 32333->32336 32337 2572fb 32334->32337 32338 257325 32337->32338 32355 25705f 32338->32355 32342 25734f 32343 257365 32342->32343 32344 257357 32342->32344 32347 25739d __get_errno 32343->32347 32349 2573b8 32343->32349 32365 2500f9 HeapFree GetLastError __dosmaperr __get_errno 32344->32365 32346 25733e 32346->32336 32366 2500f9 HeapFree GetLastError __dosmaperr __get_errno 32347->32366 32348 2573e4 32350 25742d 32348->32350 32368 256ebb HeapFree GetLastError 32348->32368 32349->32348 32367 2500f9 HeapFree GetLastError __dosmaperr __get_errno 32349->32367 32369 2500f9 HeapFree GetLastError __dosmaperr __get_errno 32350->32369 32356 257071 __strnicoll 32355->32356 32357 257080 GetOEMCP 32356->32357 32358 257092 32356->32358 32359 2570a9 32357->32359 32358->32359 32360 257097 GetACP 32358->32360 32359->32346 32361 250133 32359->32361 32360->32359 32363 25016f __get_errno 32361->32363 32364 250141 __purecall 32361->32364 32362 25015c RtlAllocateHeap 32362->32363 32362->32364 32363->32342 32364->32362 32364->32363 32365->32346 32366->32346 32367->32348 32368->32350 32369->32346 32370 213b49 SetUnhandledExceptionFilter 32371 257fdc GetEnvironmentStringsW 32372 257fed 32371->32372 32373 257feb 32371->32373 32374 250133 __purecall RtlAllocateHeap 32372->32374 32375 258002 __purecall 32374->32375 32378 2500f9 HeapFree GetLastError __dosmaperr __get_errno 32375->32378 32377 25801c FreeEnvironmentStringsW 32378->32377 32379 2135fc ___security_init_cookie 32385 213606 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock __purecall 32379->32385 32380 21376c 32421 24a66c 9 API calls __purecall 32380->32421 32382 213779 32422 24a629 9 API calls __purecall 32382->32422 32384 213781 32385->32380 32386 2136e3 32385->32386 32391 213662 ___scrt_uninitialize_crt 32385->32391 32419 24a646 30 API calls __purecall 32385->32419 32393 208650 GetVersion SetErrorMode 32386->32393 32389 2136fe 32389->32380 32390 213709 32389->32390 32390->32391 32420 24a61a 9 API calls __purecall 32390->32420 32394 1f1e10 32393->32394 32395 208694 14 API calls 32394->32395 32423 20f3a0 GetCommandLineW 32395->32423 32399 208782 32520 1f4740 lstrcmpiW 32399->32520 32401 208787 32548 1f4070 32401->32548 32403 20878c 32559 1f49f0 32403->32559 32407 208796 32408 2087a4 OleInitialize InitCommonControlsEx RegisterWindowMessageW 32407->32408 32409 20879a 32407->32409 32605 1f4b90 32408->32605 32409->32389 32412 2087e4 32712 2083b0 32412->32712 32413 208810 CreateSolidBrush 32414 208823 32413->32414 32715 2083d0 32414->32715 32416 20883e CreateSolidBrush 32718 208850 GetSystemMetrics GetSystemMetrics GetSystemMetrics GetSystemMetrics 32416->32718 32419->32386 32420->32391 32421->32382 32422->32384 32424 20f3b5 32423->32424 32425 20877d 32423->32425 32424->32425 32426 20f3c0 StrChrW 32424->32426 32476 1f4450 GetModuleFileNameW 32425->32476 32427 20f3d4 StrChrW 32426->32427 32428 20f3e5 lstrlenW LocalAlloc lstrlenW LocalAlloc lstrcpyW 32426->32428 32427->32427 32427->32428 32429 20f421 32428->32429 32726 206380 5 API calls __InternalCxxFrameHandler 32429->32726 32431 20f42d 32432 20f446 StrChrW 32431->32432 32459 20f477 32431->32459 32727 206380 5 API calls __InternalCxxFrameHandler 32431->32727 32436 20f479 32432->32436 32437 20f459 32432->32437 32433 20f493 lstrcpyW 32433->32459 32730 206380 5 API calls __InternalCxxFrameHandler 32436->32730 32437->32436 32439 20f462 lstrcpyW 32437->32439 32728 206380 5 API calls __InternalCxxFrameHandler 32439->32728 32440 20f480 32440->32433 32731 206380 5 API calls __InternalCxxFrameHandler 32440->32731 32441 20f81f LocalFree LocalFree 32441->32425 32443 20f470 32729 206380 5 API calls __InternalCxxFrameHandler 32443->32729 32444 20f4ca StrChrW 32444->32459 32447 20f4da lstrcpyW 32732 206380 5 API calls __InternalCxxFrameHandler 32447->32732 32449 20f534 StrTrimW CharUpperW 32449->32433 32449->32459 32450 20f781 lstrcpyW 32450->32459 32451 20f64e CharUpperW 32454 20f662 CharUpperW 32451->32454 32451->32459 32452 20f512 GlobalFree 32453 20f519 GlobalAlloc lstrcpyW 32452->32453 32453->32433 32457 20f673 lstrcpyW 32454->32457 32454->32459 32455 20f598 CharUpperW 32456 20f63d lstrcpyW 32455->32456 32458 20f5a9 lstrcpyW 32455->32458 32456->32433 32457->32459 32458->32459 32459->32433 32459->32441 32459->32444 32459->32447 32459->32449 32459->32450 32459->32451 32459->32452 32459->32453 32459->32455 32459->32456 32460 20f7b8 StrChrW 32459->32460 32461 20f5e0 StrChrW 32459->32461 32462 20f7c8 lstrcpyW 32459->32462 32463 206380 CharNextW lstrlenW lstrlenW CharPrevW CharPrevW 32459->32463 32464 20f6b0 StrChrW 32459->32464 32466 20f5f0 lstrcpyW 32459->32466 32467 20f6c0 lstrcpyW 32459->32467 32468 20f7f3 GlobalFree 32459->32468 32469 20f7fa lstrlenW GlobalAlloc lstrcpyW 32459->32469 32472 20f612 StrCpyNW 32459->32472 32734 206380 5 API calls __InternalCxxFrameHandler 32459->32734 32460->32459 32461->32459 32737 206380 5 API calls __InternalCxxFrameHandler 32462->32737 32463->32459 32464->32459 32733 206380 5 API calls __InternalCxxFrameHandler 32466->32733 32736 206380 5 API calls __InternalCxxFrameHandler 32467->32736 32468->32469 32469->32433 32735 206380 5 API calls __InternalCxxFrameHandler 32472->32735 32475 20f62d PathUnquoteSpacesW 32475->32433 32477 1f448a lstrcmpiW 32476->32477 32478 1f4567 PathFindFileNameW lstrcpyW PathRenameExtensionW 32476->32478 32480 1f449e 32477->32480 32481 1f44b6 32477->32481 32479 1f4160 30 API calls 32478->32479 32482 1f45a7 32479->32482 32738 212bf2 32480->32738 32745 1f4160 ExpandEnvironmentStringsW PathIsRelativeW 32481->32745 32486 1f45ab lstrcpyW 32482->32486 32487 1f45e8 32482->32487 32492 1f4160 30 API calls 32486->32492 32764 1f4320 37 API calls __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 32487->32764 32488 1f44af 32488->32399 32490 1f44cb ExpandEnvironmentStringsW 32494 1f44ff PathIsRelativeW 32490->32494 32495 1f44e7 lstrcpynW 32490->32495 32491 1f454a 32496 212bf2 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 32491->32496 32497 1f45c7 32492->32497 32493 1f4604 32498 1f462a lstrcpyW 32493->32498 32765 1f4320 37 API calls __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 32493->32765 32494->32491 32499 1f450e lstrcpyW PathRemoveFileSpecW PathAppendW lstrcpyW 32494->32499 32495->32494 32500 1f4560 32496->32500 32497->32487 32501 1f45cb lstrcpyW PathRenameExtensionW 32497->32501 32503 1f4636 PathRemoveFileSpecW lstrcatW PathFindFileNameW lstrcpyW PathRenameExtensionW 32498->32503 32499->32491 32500->32399 32501->32503 32505 1f4160 30 API calls 32503->32505 32504 1f4627 32504->32498 32506 1f4685 32505->32506 32507 1f468b lstrcpyW 32506->32507 32508 1f46ca 32506->32508 32509 1f4160 30 API calls 32507->32509 32766 1f4320 37 API calls __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 32508->32766 32511 1f46a7 32509->32511 32511->32508 32514 1f46ad lstrcpyW PathRenameExtensionW 32511->32514 32512 1f46e6 32513 1f470c lstrcpyW 32512->32513 32767 1f4320 37 API calls __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 32512->32767 32516 1f4718 32513->32516 32514->32516 32518 212bf2 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 32516->32518 32517 1f4709 32517->32513 32519 1f4730 32518->32519 32519->32399 32521 1f479f PathIsDirectoryW 32520->32521 32522 1f4769 lstrcpyW lstrcpyW 32520->32522 32524 1f47ed GetModuleFileNameW PathFindFileNameW PathAppendW PathRenameExtensionW PathFileExistsW 32521->32524 32525 1f47c5 lstrlenW CharPrevW 32521->32525 32523 212bf2 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 32522->32523 32526 1f4798 32523->32526 32528 1f482d PathIsDirectoryW 32524->32528 32529 1f4838 PathFindFileNameW lstrcpyW PathFileExistsW 32524->32529 32525->32524 32527 1f4887 PathIsDirectoryW 32525->32527 32526->32401 32532 1f48ba 7 API calls 32527->32532 32533 1f4892 lstrlenW CharPrevW 32527->32533 32528->32527 32528->32529 32530 1f485d PathFindFileNameW PathFindFileNameW lstrcpyW PathRenameExtensionW 32529->32530 32531 1f4852 PathIsDirectoryW 32529->32531 32530->32527 32531->32527 32531->32530 32535 1f4915 PathIsDirectoryW 32532->32535 32536 1f4920 PathFindFileNameW lstrcpyW PathFileExistsW 32532->32536 32533->32532 32534 1f4969 PathFileExistsW 32533->32534 32539 1f497a PathIsDirectoryW 32534->32539 32540 1f4990 lstrcpyW 32534->32540 32535->32534 32535->32536 32537 1f493a PathIsDirectoryW 32536->32537 32538 1f4945 PathFindFileNameW PathFindFileNameW lstrcpyW PathRenameExtensionW 32536->32538 32537->32534 32537->32538 32538->32534 32539->32540 32541 1f4985 PathIsDirectoryW 32539->32541 32542 1f499c PathFileExistsW 32540->32542 32541->32540 32541->32542 32543 1f49b9 lstrcpyW lstrcpyW 32542->32543 32544 1f49a7 PathIsDirectoryW 32542->32544 32545 1f49b2 32543->32545 32544->32543 32544->32545 32546 212bf2 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 32545->32546 32547 1f49e5 32546->32547 32547->32401 32549 1f4158 32548->32549 32550 1f4081 StrRChrW 32548->32550 32549->32403 32551 1f4096 SHCreateDirectoryExW 32550->32551 32552 1f40b0 PathFileExistsW 32550->32552 32551->32552 32553 1f40bf PathIsDirectoryW 32552->32553 32554 1f411a CreateFileW 32552->32554 32553->32554 32555 1f40ce CreateFileW 32553->32555 32556 1f413c CloseHandle 32554->32556 32557 1f4111 32554->32557 32555->32549 32558 1f40f0 GetFileSize CloseHandle 32555->32558 32556->32557 32557->32403 32558->32557 32772 1f2810 32559->32772 32561 1f4a32 32783 1f29e0 32561->32783 32563 1f4a4d 32564 1f4a84 32563->32564 32565 1f4a54 32563->32565 32566 1f4a9e 32564->32566 32569 1f2ad0 31 API calls 32564->32569 32795 2084f0 10 API calls __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 32565->32795 32792 1f2ad0 32566->32792 32568 1f4a5f 32568->32564 32569->32566 32572 1f2ad0 31 API calls 32573 1f4af4 32572->32573 32574 1f2ad0 31 API calls 32573->32574 32575 1f4b19 32574->32575 32576 212bf2 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 32575->32576 32577 1f4b5b 32576->32577 32578 20ff10 32577->32578 32579 20ff3a 32578->32579 32580 21010e 32578->32580 32579->32580 32581 20ff47 EnumWindows 32579->32581 32582 212bf2 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 32580->32582 32581->32580 32583 20ff63 IsWindowEnabled 32581->32583 32584 21011f 32582->32584 32585 20ff72 IsIconic 32583->32585 32586 21008a LoadStringW 32583->32586 32584->32407 32589 20ff80 ShowWindowAsync 32585->32589 32590 20ff8c IsWindowVisible 32585->32590 32587 2100c2 StrChrW 32586->32587 32588 2100ab LoadStringW 32586->32588 32591 2100d3 32587->32591 32592 2100db MessageBoxW 32587->32592 32588->32587 32589->32590 32593 20ffa0 SendMessageW SendMessageW 32590->32593 32594 20ffc4 SetForegroundWindow 32590->32594 32591->32592 32592->32580 32595 2100f3 32592->32595 32593->32594 32594->32595 32596 20ffdb GlobalSize 32594->32596 32597 212bf2 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 32595->32597 32817 206590 7 API calls __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 32596->32817 32599 210107 32597->32599 32599->32407 32600 20fff1 PathIsRelativeW 32601 210001 GetCurrentDirectoryW PathAppendW lstrcpyW 32600->32601 32602 210033 GlobalSize SendMessageW GlobalFree 32600->32602 32601->32602 32603 212bf2 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 32602->32603 32604 210083 32603->32604 32604->32407 32606 1f2810 56 API calls 32605->32606 32607 1f4bd2 32606->32607 32818 1f2cc0 32607->32818 32610 1f2cc0 30 API calls 32611 1f4c06 32610->32611 32612 1f2cc0 30 API calls 32611->32612 32613 1f4c24 32612->32613 32614 1f2cc0 30 API calls 32613->32614 32615 1f4c42 32614->32615 32616 1f2cc0 30 API calls 32615->32616 32617 1f4c60 32616->32617 32618 1f2cc0 30 API calls 32617->32618 32619 1f4c7e 32618->32619 32620 1f2cc0 30 API calls 32619->32620 32621 1f4c9c 32620->32621 32622 1f2cc0 30 API calls 32621->32622 32623 1f4cba 32622->32623 32624 1f2cc0 30 API calls 32623->32624 32625 1f4cd8 32624->32625 32626 1f2cc0 30 API calls 32625->32626 32627 1f4cf6 32626->32627 32628 1f2cc0 30 API calls 32627->32628 32629 1f4d14 32628->32629 32630 1f2cc0 30 API calls 32629->32630 32631 1f4d32 32630->32631 32632 1f2ad0 31 API calls 32631->32632 32633 1f4d55 32632->32633 32634 1f2ad0 31 API calls 32633->32634 32635 1f4d8b 32634->32635 32636 1f29e0 31 API calls 32635->32636 32638 1f4dc7 32636->32638 32637 1f4e1c SHGetFolderPathW 32639 1f4e31 32637->32639 32638->32637 32638->32639 32640 1f29e0 31 API calls 32639->32640 32641 1f4e69 32640->32641 32642 1f4e70 GetSystemDirectoryW PathAddBackslashW lstrcatW 32641->32642 32643 1f4e9d 32641->32643 32642->32643 32644 1f25d0 2 API calls 32643->32644 32645 1f4eb9 32644->32645 32646 1f29e0 31 API calls 32645->32646 32647 1f4ee4 lstrcpyW 32646->32647 32648 1f29e0 31 API calls 32647->32648 32649 1f4f17 32648->32649 32650 1f4f54 SHGetSpecialFolderPathW 32649->32650 32651 1f4f67 32649->32651 32650->32651 32652 1f2ad0 31 API calls 32651->32652 32653 1f4f97 32652->32653 32654 1f2ad0 31 API calls 32653->32654 32655 1f4fd0 32654->32655 32656 1f2cc0 30 API calls 32655->32656 32657 1f5000 lstrcpyW 32656->32657 32658 1f5022 32657->32658 32659 1f5040 lstrcpynW 32657->32659 32660 1f29e0 31 API calls 32658->32660 32661 1f503b 32659->32661 32660->32661 32663 1f2cc0 30 API calls 32661->32663 32664 1f5081 32663->32664 32665 1f2cc0 30 API calls 32664->32665 32666 1f509f 32665->32666 32667 1f2cc0 30 API calls 32666->32667 32668 1f50bd GetSysColor 32667->32668 32669 1f2ad0 31 API calls 32668->32669 32670 1f50e4 GetSysColor 32669->32670 32671 1f2ad0 31 API calls 32670->32671 32672 1f510c lstrcpyW 32671->32672 32673 1f29e0 31 API calls 32672->32673 32674 1f5145 32673->32674 32675 1f514c lstrcpyW 32674->32675 32676 1f5158 32674->32676 32675->32676 32677 1f2cc0 30 API calls 32676->32677 32678 1f516e 32677->32678 32679 1f2cc0 30 API calls 32678->32679 32680 1f518c 32679->32680 32681 1f2cc0 30 API calls 32680->32681 32682 1f51aa 32681->32682 32683 1f2ad0 31 API calls 32682->32683 32684 1f51cd 32683->32684 32685 1f2ad0 31 API calls 32684->32685 32686 1f51f2 32685->32686 32687 1f2ad0 31 API calls 32686->32687 32688 1f5217 32687->32688 32689 1f2ad0 31 API calls 32688->32689 32690 1f523c GetSystemMetrics GetSystemMetrics 32689->32690 32691 1f29e0 31 API calls 32690->32691 32692 1f527a 32691->32692 32693 1f29e0 31 API calls 32692->32693 32694 1f529b 32693->32694 32695 1f29e0 31 API calls 32694->32695 32696 1f52bc 32695->32696 32697 1f52cc wsprintfW wsprintfW wsprintfW wsprintfW 32696->32697 32698 1f537f 32696->32698 32699 1f2ad0 31 API calls 32697->32699 32702 1f2ad0 31 API calls 32698->32702 32700 1f5325 32699->32700 32701 1f2ad0 31 API calls 32700->32701 32703 1f5343 32701->32703 32704 1f53b6 32702->32704 32705 1f2ad0 31 API calls 32703->32705 32707 1f2ad0 31 API calls 32704->32707 32706 1f5361 32705->32706 32708 1f2ad0 31 API calls 32706->32708 32709 1f53e2 32707->32709 32708->32698 32710 212bf2 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 32709->32710 32711 1f541c 32710->32711 32711->32412 32713 2083b4 32712->32713 32714 2083ba GetSysColor 32712->32714 32713->32413 32714->32413 32716 2083d4 32715->32716 32717 2083da GetSysColor 32715->32717 32716->32416 32717->32416 32719 20888d #381 32718->32719 32720 20889e 32718->32720 32719->32720 32721 2088a7 #381 32720->32721 32722 2088ba LoadCursorW RegisterClassW LoadLibraryA 32720->32722 32721->32722 32723 208920 #381 ExitProcess 32722->32723 32724 208919 32722->32724 32829 24a66c 9 API calls __purecall 32724->32829 32726->32431 32727->32432 32728->32443 32729->32459 32730->32440 32731->32459 32732->32459 32733->32459 32734->32472 32735->32475 32736->32459 32737->32459 32739 212bfb IsProcessorFeaturePresent 32738->32739 32740 212bfa 32738->32740 32742 213262 32739->32742 32740->32488 32768 213225 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 32742->32768 32744 213345 32744->32488 32746 1f41a6 lstrcpyW PathFindFileNameW lstrcpyW PathFileExistsW 32745->32746 32747 1f42c4 PathFileExistsW 32745->32747 32750 1f41df PathIsDirectoryW 32746->32750 32751 1f41ee lstrcpyW PathRemoveFileSpecW lstrcatW lstrcatW PathFileExistsW 32746->32751 32748 1f42fe 32747->32748 32749 1f42d6 PathIsDirectoryW 32747->32749 32758 212bf2 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 32748->32758 32749->32748 32752 1f42e8 lstrcpyW 32749->32752 32750->32751 32753 1f42b5 lstrcpyW 32750->32753 32754 1f423c SHGetFolderPathW 32751->32754 32755 1f4231 PathIsDirectoryW 32751->32755 32752->32748 32753->32748 32756 1f4255 PathAppendW PathFileExistsW 32754->32756 32757 1f4282 SHGetFolderPathW 32754->32757 32755->32753 32755->32754 32756->32757 32759 1f4277 PathIsDirectoryW 32756->32759 32757->32748 32760 1f4295 PathAppendW 32757->32760 32761 1f4312 32758->32761 32759->32753 32759->32757 32769 1f25d0 PathFileExistsW 32760->32769 32761->32490 32761->32491 32764->32493 32765->32504 32766->32512 32767->32517 32768->32744 32770 1f25de PathIsDirectoryW 32769->32770 32771 1f25e9 32769->32771 32770->32771 32771->32748 32771->32753 32773 1f28c2 32772->32773 32774 1f2822 PathFileExistsW 32772->32774 32773->32561 32774->32773 32775 1f2835 PathIsDirectoryW 32774->32775 32775->32773 32776 1f2844 32775->32776 32796 1f26c0 45 API calls __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 32776->32796 32778 1f287f 32778->32773 32797 1f61b0 38 API calls 32778->32797 32780 1f2891 32798 1f27b0 FlushFileBuffers UnlockFileEx CloseHandle 32780->32798 32782 1f28b8 32782->32561 32784 1f29f2 32783->32784 32789 1f2a9f 32783->32789 32784->32789 32799 1fb340 30 API calls 32784->32799 32786 1f2abb lstrlenW 32786->32563 32787 1f2a22 32790 1f2a35 32787->32790 32800 21ee8d 30 API calls __get_errno 32787->32800 32789->32786 32790->32789 32801 21ee8d 30 API calls __get_errno 32790->32801 32802 1f66a0 32792->32802 32795->32568 32796->32778 32797->32780 32798->32782 32799->32787 32800->32790 32801->32789 32803 1f66c7 32802->32803 32813 1f6832 32803->32813 32814 1fb340 30 API calls 32803->32814 32805 212bf2 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 32807 1f2aeb 32805->32807 32806 1f670d 32806->32813 32815 21ee8d 30 API calls __get_errno 32806->32815 32807->32572 32809 1f6724 32810 1f67c5 WideCharToMultiByte 32809->32810 32809->32813 32811 1f67f0 32810->32811 32810->32813 32811->32813 32816 2271c7 30 API calls _vsnprintf 32811->32816 32813->32805 32814->32806 32815->32809 32816->32813 32817->32600 32821 1f6c00 32818->32821 32820 1f2ce7 32820->32610 32822 1f6c15 32821->32822 32826 1f6c73 32822->32826 32827 1fb340 30 API calls 32822->32827 32824 1f6c5c 32824->32826 32828 21ee8d 30 API calls __get_errno 32824->32828 32826->32820 32827->32824 32828->32826 32829->32723

                              Executed Functions

                              Function 001F4B90 Relevance: 135.3, APIs: 18, Strings: 59, Instructions: 534stringCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 0 1f4b90-1f4d5f call 1f2810 call 1f2cc0 * 12 call 1f2ad0 29 1f4d65-1f4d68 0->29 30 1f4d61-1f4d63 0->30 31 1f4d6b-1f4d90 call 1f2ad0 29->31 30->31 34 1f4d96-1f4d99 31->34 35 1f4d92-1f4d94 31->35 36 1f4d9c-1f4dcc call 1f29e0 34->36 35->36 39 1f4dce-1f4dda 36->39 40 1f4e0c-1f4e1a 36->40 39->40 43 1f4ddc-1f4e09 call 1f33b0 39->43 41 1f4e1c-1f4e2f SHGetFolderPathW 40->41 42 1f4e31-1f4e40 call 205e90 40->42 44 1f4e43-1f4e6e call 1f29e0 41->44 42->44 43->40 51 1f4e9d-1f4eac call 205e90 44->51 52 1f4e70-1f4e9b GetSystemDirectoryW PathAddBackslashW lstrcatW 44->52 53 1f4eaf-1f4f1c call 1f25d0 call 1f29e0 lstrcpyW call 1f29e0 51->53 52->53 62 1f4f1e-1f4f41 call 1f33b0 53->62 63 1f4f44-1f4f52 53->63 62->63 65 1f4f67-1f4f76 call 205e90 63->65 66 1f4f54-1f4f65 SHGetSpecialFolderPathW 63->66 68 1f4f79-1f4f9d call 1f2ad0 65->68 66->68 73 1f4f9f-1f4fa4 68->73 74 1f4fa6-1f4fad 68->74 75 1f4fb0-1f4fd5 call 1f2ad0 73->75 74->75 78 1f4fdb-1f4fe2 75->78 79 1f4fd7-1f4fd9 75->79 80 1f4fe5-1f5020 call 1f2cc0 lstrcpyW 78->80 79->80 83 1f5022-1f503e call 1f29e0 80->83 84 1f5040-1f5044 80->84 90 1f506b-1f514a call 1f2cc0 * 3 GetSysColor call 1f2ad0 GetSysColor call 1f2ad0 lstrcpyW call 1f29e0 83->90 86 1f5046-1f5053 84->86 87 1f5055 84->87 89 1f505f-1f5065 lstrcpynW 86->89 87->89 89->90 103 1f514c-1f5156 lstrcpyW 90->103 104 1f5158-1f52c6 call 1f2cc0 * 3 call 1f2ad0 * 4 GetSystemMetrics * 2 call 1f29e0 * 3 90->104 103->104 125 1f52cc-1f5382 wsprintfW * 4 call 1f2ad0 * 4 104->125 126 1f5387 104->126 125->126 128 1f5389-1f5392 126->128 130 1f53a5-1f53c0 call 1f2ad0 128->130 131 1f5394-1f53a3 128->131 136 1f53c6-1f53c9 130->136 137 1f53c2-1f53c4 130->137 131->128 139 1f53cc-1f53e7 call 1f2ad0 136->139 137->139 145 1f53ed-1f53f0 139->145 146 1f53e9-1f53eb 139->146 147 1f53f3-1f541f call 1f5420 call 212bf2 145->147 146->147
                              APIs
                                • Part of subcall function 001F2810: PathFileExistsW.SHLWAPI(00308DE8,?,?,001F4A32,23499D16), ref: 001F2827
                                • Part of subcall function 001F2810: PathIsDirectoryW.SHLWAPI(00308DE8), ref: 001F283A
                              • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,C:\Users\user\Documents), ref: 001F4E29
                              • GetSystemDirectoryW.KERNEL32(C:\Windows\system32\Viewers\Quikview.exe,00000104), ref: 001F4E7A
                              • PathAddBackslashW.SHLWAPI(C:\Windows\system32\Viewers\Quikview.exe), ref: 001F4E85
                              • lstrcatW.KERNEL32(C:\Windows\system32\Viewers\Quikview.exe,Viewers\Quikview.exe), ref: 001F4E95
                              • lstrcpyW.KERNEL32 ref: 001F4EF7
                                • Part of subcall function 00205E90: StrCmpNIW.SHLWAPI(C:\Users\user\Documents,%CSIDL:MYDOCUMENTS%,00000013,?,00000002), ref: 00205EB3
                                • Part of subcall function 00205E90: SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,?,?,00000002), ref: 00205ED3
                                • Part of subcall function 00205E90: PathAppendW.SHLWAPI(?,?,?,00000002), ref: 00205EE5
                                • Part of subcall function 00205E90: ExpandEnvironmentStringsW.KERNEL32(?,?,00000138,?,00000002), ref: 00205F0B
                                • Part of subcall function 00205E90: lstrcpynW.KERNEL32(?,?,00000104,?,00000002), ref: 00205F2A
                                • Part of subcall function 00205E90: PathIsRelativeW.SHLWAPI(?,?,00000002), ref: 00205F34
                                • Part of subcall function 00205E90: GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,?,00000002), ref: 00205F4A
                                • Part of subcall function 00205E90: PathRemoveFileSpecW.SHLWAPI(?,?,00000002), ref: 00205F55
                                • Part of subcall function 00205E90: PathAppendW.SHLWAPI(?,?,?,00000002), ref: 00205F68
                                • Part of subcall function 00205E90: PathCanonicalizeW.SHLWAPI(?,?,?,00000002), ref: 00205F8C
                                • Part of subcall function 00205E90: lstrcpyW.KERNEL32 ref: 00205FA3
                                • Part of subcall function 00205E90: PathGetDriveNumberW.SHLWAPI(?,?,00000002), ref: 00205FAE
                                • Part of subcall function 00205E90: CharUpperBuffW.USER32(00000001,00000001,?,00000002), ref: 00205FC0
                                • Part of subcall function 00205E90: lstrcpynW.KERNEL32(C:\Users\user\Documents,00000104,00000104,?,00000002), ref: 00205FE6
                                • Part of subcall function 00205E90: lstrcpynW.KERNEL32(?,C:\Users\user\Documents,00000104,?,00000002), ref: 00205EF4
                                • Part of subcall function 00205E90: lstrcpynW.KERNEL32(?,?,00000104,?,00000002), ref: 00205F7D
                                • Part of subcall function 001F33B0: lstrlenW.KERNEL32(?,?), ref: 001F3516
                              • SHGetSpecialFolderPathW.SHELL32(00000000,C:\Users\user\Desktop,00000010,00000001), ref: 001F4F5F
                              • lstrcpyW.KERNEL32 ref: 001F5012
                              • lstrcpynW.KERNEL32(0030D39C,00000000,00000100), ref: 001F5065
                              • GetSysColor.USER32(00000008), ref: 001F50CD
                              • GetSysColor.USER32(0000000D), ref: 001F50F5
                              • lstrcpyW.KERNEL32 ref: 001F5125
                              • lstrcpyW.KERNEL32 ref: 001F5156
                              • GetSystemMetrics.USER32 ref: 001F5252
                              • GetSystemMetrics.USER32 ref: 001F5258
                              • wsprintfW.USER32 ref: 001F52DD
                              • wsprintfW.USER32 ref: 001F52ED
                              • wsprintfW.USER32 ref: 001F52FD
                              • wsprintfW.USER32 ref: 001F530D
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Path$lstrcpylstrcpyn$wsprintf$FileFolderSystem$AppendColorDirectoryMetrics$BackslashBuffCanonicalizeCharDriveEnvironmentExistsExpandModuleNameNumberRelativeRemoveSpecSpecialStringsUpperlstrcatlstrlen
                              • String ID: %USERPROFILE%\Desktop$%USERPROFILE%\Desktop$%ix%i PosX$%ix%i PosY$%ix%i SizeX$%ix%i SizeY$*.*$*.*$1 2 3 4 5 0 8$1 2 3 4 5 0 8$1 2 3 4 5 0 8$AlwaysOnTop$BitmapDefault$BitmapDisabled$BitmapHot$C:\Users\user\Desktop$C:\Users\user\Documents$C:\Windows\system32\Viewers\Quikview.exe$ClearReadOnly$ColorFilter$ColorNoFilter$CopyMoveDlgSizeX$DefColorFilter$DefColorNoFilter$EscFunction$Favorites$FileFilter$FillMask$FocusEdit$FocusLostOpacity$FullRowSelect$GotoDlgSizeX$MinimizeToTray$NegativeFilter$NoConfirmDelete$OpacityLevel$OpenWithDir$OpenWithDlgSizeX$OpenWithDlgSizeY$Quikview.exe$QuikviewParams$RenameOnCollision$SaveSettings$Settings$Settings2$ShowDriveBox$ShowStatusbar$ShowToolbar$SingleClick$SortOptions$SortReverse$StartupDirectory$Toolbar Images$ToolbarButtons$TrackSelect$TransparentMode$UseRecycleBin$Viewers\Quikview.exe$Window
                              • API String ID: 3534769242-1191095928
                              • Opcode ID: a28f0ef453caf68b4699b2eee5de3f656c66caeed8d7c3422b52c8887a2a76fd
                              • Instruction ID: 2f30a095a504c49491f4925ce30a3ecabf328c7f7593ea180748edc7e351fda8
                              • Opcode Fuzzy Hash: a28f0ef453caf68b4699b2eee5de3f656c66caeed8d7c3422b52c8887a2a76fd
                              • Instruction Fuzzy Hash: 461216F0A617485BE705AB64BC2676735B5EB94708F00803AE70AD73D2E7F19860CB53
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00208650 Relevance: 43.9, APIs: 21, Strings: 4, Instructions: 138comregistrywindowCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetVersion.KERNEL32 ref: 00208664
                              • SetErrorMode.KERNELBASE(00008001), ref: 00208687
                                • Part of subcall function 001F1E10: RtlGetNtVersionNumbers.NTDLL(003089AC,003089A8,003089B0), ref: 001F1E31
                                • Part of subcall function 001F1E10: LoadLibraryExW.KERNEL32(comctl32.dll,00000000,00000800), ref: 001F1EB3
                                • Part of subcall function 001F1E10: FreeLibrary.KERNEL32(00000000), ref: 001F1F01
                              • GetSysColor.USER32(00000008), ref: 002086EE
                              • GetSysColor.USER32(00000005), ref: 002086F7
                              • GetSysColor.USER32(00000017), ref: 00208700
                              • GetSysColor.USER32(00000018), ref: 00208709
                              • GetSysColor.USER32(0000000E), ref: 00208712
                              • GetSysColor.USER32(0000000D), ref: 0020871B
                              • GetSysColor.USER32(00000002), ref: 00208724
                              • GetSysColor.USER32(00000001), ref: 0020872D
                              • GetSysColor.USER32(0000000F), ref: 00208736
                              • GetSysColor.USER32(0000000F), ref: 0020873F
                              • GetSysColor.USER32(0000000F), ref: 00208748
                              • GetSysColor.USER32(0000000F), ref: 00208751
                              • GetSysColor.USER32(0000000F), ref: 0020875A
                              • GetSysColor.USER32(0000000F), ref: 00208763
                                • Part of subcall function 0020F3A0: GetCommandLineW.KERNEL32(?,749217C0,?,?,?,0020877D), ref: 0020F3A5
                                • Part of subcall function 0020F3A0: StrChrW.SHLWAPI(00000000,00000009,?,?,?,0020877D), ref: 0020F3C9
                                • Part of subcall function 0020F3A0: StrChrW.SHLWAPI(00000000,00000009,?,?,?,0020877D), ref: 0020F3DA
                                • Part of subcall function 0020F3A0: lstrlenW.KERNEL32(00000000,?,?,?,0020877D), ref: 0020F3EC
                                • Part of subcall function 0020F3A0: LocalAlloc.KERNEL32(00000040,00000000,?,?,?,0020877D), ref: 0020F3FE
                                • Part of subcall function 0020F3A0: lstrlenW.KERNEL32(00000000,?,?,?,0020877D), ref: 0020F403
                                • Part of subcall function 0020F3A0: LocalAlloc.KERNEL32(00000040,00000000,?,?,?,0020877D), ref: 0020F40F
                                • Part of subcall function 0020F3A0: lstrcpyW.KERNEL32 ref: 0020F41B
                                • Part of subcall function 0020F3A0: StrChrW.SHLWAPI(00000000,00000020,?,?,?,0020877D), ref: 0020F453
                                • Part of subcall function 0020F3A0: lstrcpyW.KERNEL32 ref: 0020F467
                                • Part of subcall function 0020F3A0: lstrcpyW.KERNEL32 ref: 0020F495
                                • Part of subcall function 0020F3A0: StrChrW.SHLWAPI(00000000,00000020,?,?,?,0020877D), ref: 0020F4CB
                                • Part of subcall function 001F4450: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,749217C0), ref: 001F4476
                                • Part of subcall function 001F4450: lstrcmpiW.KERNEL32(00308DE8,0027D624), ref: 001F4494
                                • Part of subcall function 001F4740: lstrcmpiW.KERNEL32(00308DE8,0027D624,749217C0), ref: 001F475F
                                • Part of subcall function 001F4740: lstrcpyW.KERNEL32 ref: 001F4779
                                • Part of subcall function 001F4740: lstrcpyW.KERNEL32 ref: 001F4785
                                • Part of subcall function 001F4070: StrRChrW.SHLWAPI(00308DE8,00000000,0000005C,?,?,?,001F54A3), ref: 001F408A
                                • Part of subcall function 001F4070: SHCreateDirectoryExW.SHELL32(00000000,00308DE8,00000000,?,?,?,001F54A3), ref: 001F40A2
                                • Part of subcall function 001F4070: PathFileExistsW.SHLWAPI(00308DE8,?,?,?,001F54A3), ref: 001F40B5
                                • Part of subcall function 001F4070: PathIsDirectoryW.SHLWAPI(00308DE8), ref: 001F40C4
                                • Part of subcall function 001F4070: CreateFileW.KERNEL32(00308DE8,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,001F54A3), ref: 001F40E3
                                • Part of subcall function 001F4070: GetFileSize.KERNEL32(00000000,?), ref: 001F40FE
                                • Part of subcall function 001F4070: CloseHandle.KERNEL32(00000000), ref: 001F4107
                                • Part of subcall function 0020FF10: EnumWindows.USER32(0020FE70,00000000), ref: 0020FF51
                                • Part of subcall function 0020FF10: IsWindowEnabled.USER32(00000000), ref: 0020FF64
                                • Part of subcall function 0020FF10: IsIconic.USER32 ref: 0020FF76
                                • Part of subcall function 0020FF10: ShowWindowAsync.USER32(00000009,00000009), ref: 0020FF86
                                • Part of subcall function 0020FF10: IsWindowVisible.USER32(00000000), ref: 0020FF90
                                • Part of subcall function 0020FF10: SendMessageW.USER32(00000400,00000400,00000000,00000203), ref: 0020FFB0
                                • Part of subcall function 0020FF10: SendMessageW.USER32(00000400,00000400,00000000,00000202), ref: 0020FFC2
                                • Part of subcall function 0020FF10: SetForegroundWindow.USER32(00000000), ref: 0020FFC8
                                • Part of subcall function 0020FF10: GlobalSize.KERNEL32(?), ref: 0020FFDC
                                • Part of subcall function 0020FF10: PathIsRelativeW.SHLWAPI ref: 0020FFF7
                                • Part of subcall function 0020FF10: GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0021000B
                                • Part of subcall function 0020FF10: PathAppendW.SHLWAPI(?), ref: 0021001C
                                • Part of subcall function 0020FF10: lstrcpyW.KERNEL32 ref: 0021002D
                                • Part of subcall function 0020FF10: GlobalSize.KERNEL32 ref: 00210041
                                • Part of subcall function 0020FF10: SendMessageW.USER32(?,0000004A,00000000,?), ref: 00210061
                                • Part of subcall function 0020FF10: GlobalFree.KERNEL32 ref: 00210069
                              • OleInitialize.OLE32(00000000), ref: 002087A6
                              • InitCommonControlsEx.COMCTL32(?), ref: 002087C9
                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002087D4
                              • CreateSolidBrush.GDI32(00000000), ref: 00208817
                              • CreateSolidBrush.GDI32(00000000), ref: 0020883F
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Color$lstrcpy$Window$CreateFileMessagePath$DirectoryGlobalSendSize$AllocBrushFreeLibraryLocalSolidVersionlstrcmpilstrlen$AppendAsyncCloseCommandCommonControlsCurrentEnabledEnumErrorExistsForegroundHandleIconicInitInitializeLineLoadModeModuleNameNumbersRegisterRelativeShowVisibleWindows
                              • String ID: %USERPROFILE%\Desktop$*.*$1 2 3 4 5 0 8$TaskbarCreated
                              • API String ID: 1839052441-4190804089
                              • Opcode ID: 46c98d1c8953d2ce463242af961df50b28a533122d898b173e55860f1a2ac3e2
                              • Instruction ID: 4310724e36c312f39987e55ea8adcecaf4a89abf764aaf4c7999d47aa7a6b838
                              • Opcode Fuzzy Hash: 46c98d1c8953d2ce463242af961df50b28a533122d898b173e55860f1a2ac3e2
                              • Instruction Fuzzy Hash: 8B4162749117089AD711BFB1BD2976A3FA8EF14754F00852BE6848B2E2EFB54040DF93
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0020FF10 Relevance: 30.1, APIs: 20, Instructions: 137windowstringCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • EnumWindows.USER32(0020FE70,00000000), ref: 0020FF51
                              • IsWindowEnabled.USER32(00000000), ref: 0020FF64
                              • IsIconic.USER32 ref: 0020FF76
                              • ShowWindowAsync.USER32(00000009,00000009), ref: 0020FF86
                              • IsWindowVisible.USER32(00000000), ref: 0020FF90
                              • SendMessageW.USER32(00000400,00000400,00000000,00000203), ref: 0020FFB0
                              • SendMessageW.USER32(00000400,00000400,00000000,00000202), ref: 0020FFC2
                              • SetForegroundWindow.USER32(00000000), ref: 0020FFC8
                              • GlobalSize.KERNEL32(?), ref: 0020FFDC
                              • PathIsRelativeW.SHLWAPI ref: 0020FFF7
                              • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0021000B
                              • PathAppendW.SHLWAPI(?), ref: 0021001C
                              • lstrcpyW.KERNEL32 ref: 0021002D
                              • GlobalSize.KERNEL32 ref: 00210041
                              • SendMessageW.USER32(?,0000004A,00000000,?), ref: 00210061
                              • GlobalFree.KERNEL32 ref: 00210069
                              • LoadStringW.USER32(0000C35F,?,00000100), ref: 002100A5
                              • LoadStringW.USER32(0000C35F,?,00000100), ref: 002100C0
                              • StrChrW.SHLWAPI(?,0000000A), ref: 002100C9
                              • MessageBoxW.USER32(00000000,00000000,?,00010024), ref: 002100E8
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: MessageWindow$GlobalSend$LoadPathSizeString$AppendAsyncCurrentDirectoryEnabledEnumForegroundFreeIconicRelativeShowVisibleWindowslstrcpy
                              • String ID:
                              • API String ID: 648661597-0
                              • Opcode ID: b41028b4d12986eedf607c52afcc27628017b1406a79d55142c3b34e63abd5bb
                              • Instruction ID: 879c16dbf3db0e8cc128d98dafc2f3fe16066e00521cb4d2cd33bcb299474688
                              • Opcode Fuzzy Hash: b41028b4d12986eedf607c52afcc27628017b1406a79d55142c3b34e63abd5bb
                              • Instruction Fuzzy Hash: E9516B34655306AFEB21DF20EC5DFAA3BE8EB58700F00842AF549D61B1DBB4D894DB52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00213B49 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 389 213b49-213b54 SetUnhandledExceptionFilter
                              APIs
                              • SetUnhandledExceptionFilter.KERNELBASE(Function_00023B58,002135EF), ref: 00213B4E
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: ExceptionFilterUnhandled
                              • String ID:
                              • API String ID: 3192549508-0
                              • Opcode ID: 1d1c029d9b60a91649ca519e1b5b73910f77f0c9acbfe17d85f7449c8fe79296
                              • Instruction ID: 6987d848f5bac924ad94f1d3a94736289d13601a3d25806c19f32071e3ba3b66
                              • Opcode Fuzzy Hash: 1d1c029d9b60a91649ca519e1b5b73910f77f0c9acbfe17d85f7449c8fe79296
                              • Instruction Fuzzy Hash:
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 001F4740 Relevance: 91.2, APIs: 47, Strings: 5, Instructions: 199stringCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 152 1f4740-1f4767 lstrcmpiW 153 1f479f-1f47c3 PathIsDirectoryW 152->153 154 1f4769-1f479e lstrcpyW * 2 call 212bf2 152->154 156 1f47ed-1f482b GetModuleFileNameW PathFindFileNameW PathAppendW PathRenameExtensionW PathFileExistsW 153->156 157 1f47c5-1f47e7 lstrlenW CharPrevW 153->157 160 1f482d-1f4836 PathIsDirectoryW 156->160 161 1f4838-1f4850 PathFindFileNameW lstrcpyW PathFileExistsW 156->161 157->156 159 1f4887-1f4890 PathIsDirectoryW 157->159 164 1f48ba-1f4913 GetModuleFileNameW PathRemoveFileSpecW lstrcatW PathFindFileNameW PathAppendW PathRenameExtensionW PathFileExistsW 159->164 165 1f4892-1f48b4 lstrlenW CharPrevW 159->165 160->159 160->161 162 1f485d-1f4881 PathFindFileNameW * 2 lstrcpyW PathRenameExtensionW 161->162 163 1f4852-1f485b PathIsDirectoryW 161->163 162->159 163->159 163->162 167 1f4915-1f491e PathIsDirectoryW 164->167 168 1f4920-1f4938 PathFindFileNameW lstrcpyW PathFileExistsW 164->168 165->164 166 1f4969-1f4978 PathFileExistsW 165->166 171 1f497a-1f4983 PathIsDirectoryW 166->171 172 1f4990-1f499a lstrcpyW 166->172 167->166 167->168 169 1f493a-1f4943 PathIsDirectoryW 168->169 170 1f4945-1f4963 PathFindFileNameW * 2 lstrcpyW PathRenameExtensionW 168->170 169->166 169->170 170->166 171->172 173 1f4985-1f498e PathIsDirectoryW 171->173 174 1f499c-1f49a5 PathFileExistsW 172->174 173->172 173->174 175 1f49b9-1f49d1 lstrcpyW * 2 174->175 176 1f49a7-1f49b0 PathIsDirectoryW 174->176 177 1f49d3-1f49eb call 212bf2 175->177 176->175 178 1f49b2-1f49b7 176->178 178->177
                              APIs
                              • lstrcmpiW.KERNEL32(00308DE8,0027D624,749217C0), ref: 001F475F
                              • lstrcpyW.KERNEL32 ref: 001F4779
                              • lstrcpyW.KERNEL32 ref: 001F4785
                              • PathIsDirectoryW.SHLWAPI(00308DE8), ref: 001F47AD
                              • lstrlenW.KERNEL32(00308DE8), ref: 001F47CA
                              • CharPrevW.USER32(00308DE8,00000000), ref: 001F47DD
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 001F47F9
                              • PathFindFileNameW.SHLWAPI(?), ref: 001F4804
                              • PathAppendW.SHLWAPI(00308DE8,00000000), ref: 001F480C
                              • PathRenameExtensionW.SHLWAPI(00308DE8,.ini), ref: 001F481C
                              • PathFileExistsW.SHLWAPI(00308DE8), ref: 001F4827
                              • PathIsDirectoryW.SHLWAPI(00308DE8), ref: 001F4832
                              • PathFindFileNameW.SHLWAPI(00308DE8,minipath.ini), ref: 001F4842
                              • lstrcpyW.KERNEL32 ref: 001F4845
                              • PathFileExistsW.SHLWAPI(00308DE8), ref: 001F484C
                              • PathIsDirectoryW.SHLWAPI(00308DE8), ref: 001F4857
                              • PathFindFileNameW.SHLWAPI(?), ref: 001F4862
                              • PathFindFileNameW.SHLWAPI(00308DE8), ref: 001F486B
                              • lstrcpyW.KERNEL32 ref: 001F486F
                              • PathRenameExtensionW.SHLWAPI(00308DE8,.ini), ref: 001F487B
                              • PathIsDirectoryW.SHLWAPI(00308BE0), ref: 001F488C
                              • lstrlenW.KERNEL32(00308BE0), ref: 001F4897
                              • CharPrevW.USER32(00308BE0,00000000), ref: 001F48AA
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 001F48C6
                              • PathRemoveFileSpecW.SHLWAPI(?), ref: 001F48D1
                              • lstrcatW.KERNEL32(?,\Notepad3.exe), ref: 001F48E1
                              • PathFindFileNameW.SHLWAPI(?), ref: 001F48EC
                              • PathAppendW.SHLWAPI(00308BE0,00000000), ref: 001F48F4
                              • PathRenameExtensionW.SHLWAPI(00308BE0,.ini), ref: 001F4904
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Path$File$Name$Find$Directorylstrcpy$ExtensionRename$AppendCharExistsModulePrevlstrlen$RemoveSpeclstrcatlstrcmpi
                              • String ID: .ini$C:\Users\user\Desktop\HkObDPju6Z.ini$\Notepad3.exe$minipath.ini$notepad3.ini
                              • API String ID: 882991028-615529855
                              • Opcode ID: 8f668dc26cad64a4013137592db69f4112cc811bf868646239dfeaffa61bc564
                              • Instruction ID: cac0fe0b24918280ea692bba98b2173e5c0f8cb93f6a872e00242573f0d7768e
                              • Opcode Fuzzy Hash: 8f668dc26cad64a4013137592db69f4112cc811bf868646239dfeaffa61bc564
                              • Instruction Fuzzy Hash: 6D51C6757413096FDA01BBB6AC2AFBB36ACBF54B84B014524F544E20D0DFF0D8058A72
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 001F4160 Relevance: 42.1, APIs: 23, Strings: 1, Instructions: 145stringCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,769C3E10,74CF8250,?,769CCB20), ref: 001F418A
                              • PathIsRelativeW.SHLWAPI(?,?,769CCB20), ref: 001F4198
                              • lstrcpyW.KERNEL32 ref: 001F41B2
                              • PathFindFileNameW.SHLWAPI(?,?,?,769CCB20), ref: 001F41C1
                              • lstrcpyW.KERNEL32 ref: 001F41C8
                              • PathFileExistsW.KERNELBASE(?,?,769CCB20), ref: 001F41CF
                              • PathIsDirectoryW.SHLWAPI(?), ref: 001F41E4
                              • lstrcpyW.KERNEL32 ref: 001F41F4
                              • PathRemoveFileSpecW.SHLWAPI(?,?,769CCB20), ref: 001F41FB
                              • lstrcatW.KERNEL32(?,\np3\), ref: 001F4211
                              • lstrcatW.KERNEL32(?,?), ref: 001F4220
                              • PathFileExistsW.KERNELBASE(?,?,769CCB20), ref: 001F4227
                              • PathIsDirectoryW.SHLWAPI(?), ref: 001F4236
                              • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,769CCB20), ref: 001F424F
                              • PathAppendW.SHLWAPI(?,?,?,769CCB20), ref: 001F4262
                              • PathFileExistsW.KERNELBASE(?,?,769CCB20), ref: 001F426D
                              • PathIsDirectoryW.SHLWAPI(?), ref: 001F427C
                              • SHGetFolderPathW.SHELL32(00000000,00000028,00000000,00000000,?,?,769CCB20), ref: 001F428F
                              • PathAppendW.SHLWAPI(?,?,?,769CCB20), ref: 001F42A2
                              • lstrcpyW.KERNEL32 ref: 001F42BB
                              • PathFileExistsW.SHLWAPI(?,?,769CCB20), ref: 001F42CC
                              • PathIsDirectoryW.SHLWAPI(?), ref: 001F42DE
                              • lstrcpyW.KERNEL32 ref: 001F42F1
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Path$File$lstrcpy$DirectoryExists$AppendFolderlstrcat$EnvironmentExpandFindNameRelativeRemoveSpecStrings
                              • String ID: \np3\
                              • API String ID: 3472113900-578766168
                              • Opcode ID: 861d2a220e315fa38c435af8aa3b0f0d68f38c245b67f0499278cdf961337c65
                              • Instruction ID: 9de361e62530ef62152d240b09265108172e09c37a177d34d0c21e2c517f21fb
                              • Opcode Fuzzy Hash: 861d2a220e315fa38c435af8aa3b0f0d68f38c245b67f0499278cdf961337c65
                              • Instruction Fuzzy Hash: D841FF76604349ABDB20DFA0EC48FFB77ECAB54700F054829B645C3150EB74D5498B62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00208850 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 67registrylibraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 273 208850-20888b GetSystemMetrics * 4 274 20888d-20889b #381 273->274 275 20889e-2088a5 273->275 274->275 276 2088a7-2088b5 #381 275->276 277 2088ba-208917 LoadCursorW RegisterClassW LoadLibraryA 275->277 276->277 278 208920-20892a #381 ExitProcess 277->278 279 208919-20891b call 24a66c 277->279 279->278
                              APIs
                              • GetSystemMetrics.USER32 ref: 00208863
                              • GetSystemMetrics.USER32 ref: 00208869
                              • GetSystemMetrics.USER32 ref: 00208870
                              • GetSystemMetrics.USER32 ref: 00208877
                              • #381.COMCTL32(?,00000064,00000000,?,003098C8), ref: 00208899
                              • #381.COMCTL32(?,00000064,00000008,00000000,003092A0), ref: 002088B3
                              • LoadCursorW.USER32(?,00007F00), ref: 002088E2
                              • RegisterClassW.USER32 ref: 00208904
                              • LoadLibraryA.KERNELBASE(fdgmnfmfhdfgsndhfd), ref: 0020890F
                              • #381.COMCTL32(00000000), ref: 00208926
                              • ExitProcess.KERNEL32 ref: 0020892A
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: MetricsSystem$#381$Load$ClassCursorExitLibraryProcessRegister
                              • String ID: MiniPath$fdgmnfmfhdfgsndhfd
                              • API String ID: 2339817912-2455953222
                              • Opcode ID: 3ae926c13488c2f299f31a4476ddb0a2f3eb4f08e3aba8ef92d0f412de9f79c2
                              • Instruction ID: 0de0d10e09ba8c875b0ff2e0e4fb528bb95bac78a739c36f600343f478a10161
                              • Opcode Fuzzy Hash: 3ae926c13488c2f299f31a4476ddb0a2f3eb4f08e3aba8ef92d0f412de9f79c2
                              • Instruction Fuzzy Hash: 462107B5E41318ABEF119FA4DC49B9EBFB9AB09704F00801AE604A72D1DBF55904CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00212C6A Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 281 212c6a-212c8b InitializeCriticalSectionAndSpinCount GetModuleHandleW 282 212c8d-212c9c GetModuleHandleW 281->282 283 212c9e-212cba GetProcAddress * 2 281->283 282->283 284 212ce4-212cfe call 2139b3 DeleteCriticalSection 282->284 285 212cbc-212cbe 283->285 286 212cce-212ce2 CreateEventW 283->286 291 212d00-212d01 CloseHandle 284->291 292 212d07 284->292 285->286 287 212cc0-212cc6 285->287 286->284 288 212ccb-212ccd 286->288 287->288 291->292
                              APIs
                              • InitializeCriticalSectionAndSpinCount.KERNEL32(003076F4,00000FA0,?,?,00212C48), ref: 00212C76
                              • GetModuleHandleW.KERNELBASE(api-ms-win-core-synch-l1-2-0.dll,?,?,00212C48), ref: 00212C81
                              • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00212C48), ref: 00212C92
                              • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00212CA4
                              • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00212CB2
                              • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00212C48), ref: 00212CD5
                              • DeleteCriticalSection.KERNEL32(003076F4,00000007,?,?,00212C48), ref: 00212CF1
                              • CloseHandle.KERNEL32(00000000,?,?,00212C48), ref: 00212D01
                              Strings
                              • WakeAllConditionVariable, xrefs: 00212CAA
                              • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00212C7C
                              • SleepConditionVariableCS, xrefs: 00212C9E
                              • kernel32.dll, xrefs: 00212C8D
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                              • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                              • API String ID: 2565136772-3242537097
                              • Opcode ID: abcfe23c0ae88d8eff5704bcebd17cc4c80c73ca331c9313af4f6121ec3e7a53
                              • Instruction ID: d633e5986447baf07f3e68f484a3817043a03e22720cfcd49a77bad3e50383d6
                              • Opcode Fuzzy Hash: abcfe23c0ae88d8eff5704bcebd17cc4c80c73ca331c9313af4f6121ec3e7a53
                              • Instruction Fuzzy Hash: 0A01B974A15712DBDF211F74BC1DAAA7A989B65B00B068012F909E6160DBF0D8608AB0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 002135FC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • ___security_init_cookie.LIBCMT ref: 002135FC
                                • Part of subcall function 00213EA6: ___get_entropy.LIBCMT ref: 00213EC0
                              • ___scrt_release_startup_lock.LIBCMT ref: 00213698
                              • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 002136AC
                              • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 002136D2
                              • ___scrt_uninitialize_crt.LIBCMT ref: 00213715
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: ___scrt_is_nonwritable_in_current_image$___get_entropy___scrt_release_startup_lock___scrt_uninitialize_crt___security_init_cookie
                              • String ID: 7!
                              • API String ID: 2539496024-945759478
                              • Opcode ID: d88b3c25ce5b9222a94b586649b61739df22af5101b960071ac43046855e9e04
                              • Instruction ID: 34ad4c286c8f85e1c1ac2f068033389ab39869a48bfd5248fa9e566621247d3b
                              • Opcode Fuzzy Hash: d88b3c25ce5b9222a94b586649b61739df22af5101b960071ac43046855e9e04
                              • Instruction Fuzzy Hash: 9A3128725792426ADF29FF789803ADD67EA8F72720F240419F041672C2CA614BF18E99
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 001F25D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 357 1f25d0-1f25dc PathFileExistsW 358 1f25de-1f25e7 PathIsDirectoryW 357->358 359 1f25f0-1f25f3 357->359 358->359 360 1f25e9-1f25ef 358->360
                              APIs
                              • PathFileExistsW.KERNELBASE(C:\Windows\system32\Viewers\Quikview.exe,00000002,001F4EB9), ref: 001F25D4
                              • PathIsDirectoryW.SHLWAPI(C:\Windows\system32\Viewers\Quikview.exe), ref: 001F25DF
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Path$DirectoryExistsFile
                              • String ID: C:\Windows\system32\Viewers\Quikview.exe
                              • API String ID: 1302732169-377476166
                              • Opcode ID: c63eb18ab6bb5e1b40c203e53728bd5530ccd86b8552681897a4f5502bea306c
                              • Instruction ID: 28a35ff2cdd4222809bdc063ea092727fd12aa10a00bae59c913c66bc07799f5
                              • Opcode Fuzzy Hash: c63eb18ab6bb5e1b40c203e53728bd5530ccd86b8552681897a4f5502bea306c
                              • Instruction Fuzzy Hash: 7DC012313154210AEB202B287D0CBF7124C8F0121070A00A9F405C6158FBA4DD8351D5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00257FDC Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetEnvironmentStringsW.KERNEL32(?,0024B3E5,?,0024B363,0024B31B), ref: 00257FDF
                              • FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,0024B3E5,?,0024B363,0024B31B), ref: 0025801E
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: EnvironmentStrings$Free
                              • String ID:
                              • API String ID: 3328510275-0
                              • Opcode ID: f65ca07e1a93de68f36ac055a7d6abb6d548ae6b0ed40ced337914f78a5ee7a4
                              • Instruction ID: 53156ba1dedb5b12c84b6c08b2fd5bffab46aa2e9475893779c246106e3a5833
                              • Opcode Fuzzy Hash: f65ca07e1a93de68f36ac055a7d6abb6d548ae6b0ed40ced337914f78a5ee7a4
                              • Instruction Fuzzy Hash: 0BE02B3B169A212A9521323C3C8EE9F061DCFC57727150111FC1455282FE704C1605F9
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00250133 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 374 250133-25013f 375 250171-25017c call 24f16b 374->375 376 250141-250143 374->376 383 25017e-250180 375->383 378 250145-250146 376->378 379 25015c-25016d RtlAllocateHeap 376->379 378->379 380 25016f 379->380 381 250148-25014f call 24e86a 379->381 380->383 381->375 386 250151-25015a call 24a8b6 381->386 386->375 386->379
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,?,?,?,00212C1A,?,?,001F102A,00000024,23499D16,?,?,0026D1AF,000000FF), ref: 00250165
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: AllocateHeap
                              • String ID:
                              • API String ID: 1279760036-0
                              • Opcode ID: bcf5f4c13153e3b8d60a6e203a1c8e6b11e7ca83e7ad9b1127153450ac09f9f7
                              • Instruction ID: 6dab3b00cd4827ed5c6b9b9dfce0692229804fa1d093dadf6a187ccbe6f8ce82
                              • Opcode Fuzzy Hash: bcf5f4c13153e3b8d60a6e203a1c8e6b11e7ca83e7ad9b1127153450ac09f9f7
                              • Instruction Fuzzy Hash: E5E0E535232A1257EE212F759C80B5A36489F427A2F198120EC4E96291CFB0DC6485AB
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Non-executed Functions

                              Function 0020A800 Relevance: 162.0, APIs: 77, Strings: 15, Instructions: 1025windowlibrarystringCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryW.KERNEL32(uxtheme.dll,23499D16,7490BB20,?), ref: 0020A87F
                              • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0020A891
                              • FreeLibrary.KERNEL32(00000000), ref: 0020A8A4
                              • CreateWindowExW.USER32 ref: 0020A8F2
                              • SendMessageW.USER32(0000041E,00000014,00000000), ref: 0020A949
                              • LoadImageW.USER32 ref: 0020A98B
                              • CopyImage.USER32 ref: 0020A99F
                              • GetObjectW.GDI32(00000000,00000018,?), ref: 0020A9BB
                              • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003), ref: 0020AA14
                              • VerSetConditionMask.KERNEL32(00000000), ref: 0020AA18
                              • VerSetConditionMask.KERNEL32(00000000), ref: 0020AA1C
                              • VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0020AA46
                              • GetSysColor.USER32(0000000F), ref: 0020AA52
                              • ImageList_Create.COMCTL32(?,?,?,00000021,00000000,00000000), ref: 0020AA89
                              • ImageList_AddMasked.COMCTL32(00000000,00000000,FF000000), ref: 0020AA98
                              • DeleteObject.GDI32(00000000), ref: 0020AA9F
                              • SendMessageW.USER32(00000430,00000000,00000000), ref: 0020AAB3
                              • GetObjectW.GDI32(00000000,00000018,?), ref: 0020AAE3
                              • ImageList_Create.COMCTL32(?,?,?,00000021,00000000,00000000), ref: 0020AB0D
                              • ImageList_AddMasked.COMCTL32(00000000,00000000,FF000000), ref: 0020AB1C
                              • DeleteObject.GDI32(00000000), ref: 0020AB23
                              • SendMessageW.USER32(00000434,00000000,00000000), ref: 0020AB37
                              • GetObjectW.GDI32(00000000,00000018,?), ref: 0020AB67
                              • ImageList_Create.COMCTL32(?,?,?,00000021,00000000,00000000), ref: 0020AB91
                              • ImageList_AddMasked.COMCTL32(00000000,00000000,FF000000), ref: 0020ABA0
                              • DeleteObject.GDI32(00000000), ref: 0020ABA7
                              • SendMessageW.USER32(00000436,00000000,00000000), ref: 0020ABBB
                              • GetSysColor.USER32(0000000F), ref: 0020ABE8
                              • GetObjectW.GDI32(00000000,00000018,?), ref: 0020AC03
                              • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003), ref: 0020AD49
                              • VerSetConditionMask.KERNEL32(00000000), ref: 0020AD4D
                              • VerSetConditionMask.KERNEL32(00000000), ref: 0020AD51
                              • VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0020AD7B
                              • GetObjectW.GDI32(00000000,00000018,?), ref: 0020ADA4
                              • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003), ref: 0020AEB8
                              • VerSetConditionMask.KERNEL32(00000000), ref: 0020AEBC
                              • VerSetConditionMask.KERNEL32(00000000), ref: 0020AEC0
                              • VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0020AEEA
                              • GetSysColor.USER32(0000000F), ref: 0020AEF6
                              • ImageList_Create.COMCTL32(?,?,?,00000021,00000000,00000000), ref: 0020AF3F
                              • ImageList_AddMasked.COMCTL32(00000000,00000000,FF000000), ref: 0020AF4E
                              • SendMessageW.USER32(00000436,00000000,00000000), ref: 0020AF62
                              • DeleteObject.GDI32(00000000), ref: 0020AF73
                              • wsprintfW.USER32 ref: 0020AFC3
                              • lstrcmpiW.KERNEL32(?,(none)), ref: 0020B000
                              • lstrcmpiW.KERNEL32(?,(none)), ref: 0020B020
                              • SendMessageW.USER32(0000044D,00000000,?), ref: 0020B057
                              • SendMessageW.USER32(00000455,00000000,00000000), ref: 0020B0AC
                              • SendMessageW.USER32(00000454,00000000,00000000), ref: 0020B0BF
                              • SendMessageW.USER32(00000444,00000006,003071F0), ref: 0020B0D3
                              • SendMessageW.USER32(00000444,00000006,003071F0), ref: 0020B0FB
                              • SendMessageW.USER32(0000041D,00000000,?), ref: 0020B111
                              • CreateWindowExW.USER32 ref: 0020B145
                              • SystemParametersInfoW.USER32 ref: 0020B19C
                              • CreateWindowExW.USER32 ref: 0020B23E
                              • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003), ref: 0020B2A0
                              • VerSetConditionMask.KERNEL32(00000000), ref: 0020B2A4
                              • VerSetConditionMask.KERNEL32(00000000), ref: 0020B2A8
                              • VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0020B2D2
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: ConditionMask$MessageSend$Image$Object$List_$Create$Info$DeleteMaskedVerifyVersion$ColorWindow$LibraryLoadlstrcmpi$AddressCopyFreeParametersProcSystemwsprintf
                              • String ID: $%02i$(none)$1 2 3 4 5 0 8$3$333$:@!$Explorer$IsAppThemed$ReBarWindow32$Toolbar Labels$ToolbarWindow32$d$msctls_statusbar32$uxtheme.dll
                              • API String ID: 3633255068-3275350571
                              • Opcode ID: cb96b08c109162b0889bb2b91761aafbf954a362cdd5b9dba9e0541c5d6f3b5d
                              • Instruction ID: 84772ad7e2e4135ab487abe810cd9c7018386f374e7a1a191d727ad27b3b3219
                              • Opcode Fuzzy Hash: cb96b08c109162b0889bb2b91761aafbf954a362cdd5b9dba9e0541c5d6f3b5d
                              • Instruction Fuzzy Hash: EE82D370A50719AFEB318F24DC59FAA7BB8AB44705F0440DAF508E61D2DBB49E90CF15
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00208FD0 Relevance: 105.7, APIs: 56, Strings: 4, Instructions: 657timewindowCOMMON
                              Download Yara Rule
                              APIs
                              • SetTimer.USER32(?,0000A000,00000000,00000000), ref: 00209074
                              • KillTimer.USER32(?,0000A000), ref: 002090AE
                              • FindCloseChangeNotification.KERNEL32 ref: 002090BA
                              • GetWindowPlacement.USER32(?,?), ref: 002090CE
                              • DragAcceptFiles.SHELL32(?,00000000), ref: 0020910C
                              • LocalFree.KERNEL32(00000000), ref: 00209127
                              • PostQuitMessage.USER32(00000000), ref: 00209167
                              • IsWindowVisible.USER32(?), ref: 0020A021
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: TimerWindow$AcceptChangeCloseDragFilesFindFreeKillLocalMessageNotificationPlacementPostQuitVisible
                              • String ID: ,$1 2 3 4 5 0 8$AutoRefreshRate$Settings2
                              • API String ID: 1545102215-3278632014
                              • Opcode ID: 4e4d3a1370d09e4b3c32d1efae1a618003dd7cd0cfe4694ba62788695c69b948
                              • Instruction ID: c1a96c1cc2fcc0c59467582c5662e28d87aec84ba683876e45b29cdd92a5bddb
                              • Opcode Fuzzy Hash: 4e4d3a1370d09e4b3c32d1efae1a618003dd7cd0cfe4694ba62788695c69b948
                              • Instruction Fuzzy Hash: 15221531314304AFE720AF24EC5ABBE77E9FB98310F40851BF546961E2DBB55860DB92
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0020A240 Relevance: 86.1, APIs: 39, Strings: 10, Instructions: 349windowlibraryloaderCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0020A800: LoadLibraryW.KERNEL32(uxtheme.dll,23499D16,7490BB20,?), ref: 0020A87F
                                • Part of subcall function 0020A800: GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0020A891
                                • Part of subcall function 0020A800: FreeLibrary.KERNEL32(00000000), ref: 0020A8A4
                                • Part of subcall function 0020A800: CreateWindowExW.USER32 ref: 0020A8F2
                                • Part of subcall function 0020A800: SendMessageW.USER32(0000041E,00000014,00000000), ref: 0020A949
                                • Part of subcall function 0020A800: GetObjectW.GDI32(00000000,00000018,?), ref: 0020A9BB
                              • CreateWindowExW.USER32 ref: 0020A2D1
                              • LoadLibraryW.KERNEL32(uxtheme.dll), ref: 0020A2E3
                              • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0020A2F5
                              • FreeLibrary.KERNEL32(00000000), ref: 0020A304
                              • GetWindowLongW.USER32(000000EC), ref: 0020A316
                              • SetWindowLongW.USER32 ref: 0020A32A
                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000027), ref: 0020A342
                              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 0020A39E
                              • #410.COMCTL32(?,001F1550,00000000,00000000), ref: 0020A3C6
                              • SendMessageW.USER32(?,00001036,00000000,00010030), ref: 0020A3D9
                              • SendMessageW.USER32(?,00000127,00010001,00000000), ref: 0020A3E8
                              • SendMessageW.USER32(00001036,00000000,00014000), ref: 0020A41E
                              • SendMessageW.USER32(00001061,00000000,00000005), ref: 0020A432
                              • SendMessageW.USER32(00001036,00000048,00000048), ref: 0020A44C
                              • SendMessageW.USER32(00001036,00000020,00000020), ref: 0020A466
                              • SendMessageW.USER32(00001047,00000000,0000000A), ref: 0020A486
                              • GetSystemMetrics.USER32 ref: 0020A4AA
                              • CreateWindowExW.USER32 ref: 0020A4C1
                              • SendMessageW.USER32(?,0000200B,00000000,Explorer), ref: 0020A514
                              • SendMessageW.USER32(?,00000155,00000001,00000000), ref: 0020A520
                              • SHGetFileInfoW.SHELL32(C:\,00000000,?,000002B4,00004001), ref: 0020A552
                              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0020A561
                              • SendMessageW.USER32(?,0000040E,00000008,00000008), ref: 0020A56D
                              • SendMessageW.USER32(?,0000040E,00000020,00000020), ref: 0020A579
                              • DragAcceptFiles.SHELL32(?,00000001), ref: 0020A57E
                              • SendMessageW.USER32(?,?,00000423,00000000), ref: 0020A60E
                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0020A61D
                              • GetSystemMenu.USER32(?,00000000,?,?,00000423,00000000,00000000), ref: 0020A622
                              • DeleteMenu.USER32(00000000,0000F120,00000000,?,?,00000423,00000000,00000000), ref: 0020A638
                              • DeleteMenu.USER32(00000000,0000F030,00000000,?,?,00000423,00000000,00000000), ref: 0020A642
                              • GetMenuItemInfoW.USER32(00000000,0000F020,00000000,?), ref: 0020A661
                              • SetMenuItemInfoW.USER32 ref: 0020A67C
                              • LoadStringW.USER32(0000EA61,?,00000040), ref: 0020A69D
                              • LoadStringW.USER32(0000EA61,?,00000040), ref: 0020A6B8
                              • InsertMenuW.USER32(00000000,0000F010,00000000,0000EA61,?), ref: 0020A6D5
                              • LoadStringW.USER32(0000EA62,?,00000040), ref: 0020A6EC
                              • LoadStringW.USER32(0000EA62,?,00000040), ref: 0020A707
                              • InsertMenuW.USER32(00000000,0000F060,00000000,0000EA62,?), ref: 0020A71E
                              • InsertMenuW.USER32(00000000,0000F060,00000800,00000000,00000000), ref: 0020A72F
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: MessageSend$Menu$LoadWindow$LibraryString$CreateInfoInsert$AddressDeleteFreeItemLongProcSystem$#410AcceptDragFileFilesMetricsObject
                              • String ID: 0$0$:@!$C:\$ComboBoxEx32$Explorer$IsAppThemed$ItemsView$SysListView32$uxtheme.dll
                              • API String ID: 1504807357-1257339576
                              • Opcode ID: eea72775f1b3826f19bb9bdeb6f5f1c07ed678633de62256a4826b9993b22f6c
                              • Instruction ID: ab59f50cef5ca1e8e9d125e7ca28b0d098ff629feba57eedb690b9bc6188d182
                              • Opcode Fuzzy Hash: eea72775f1b3826f19bb9bdeb6f5f1c07ed678633de62256a4826b9993b22f6c
                              • Instruction Fuzzy Hash: F6C1E270281345BBF7329F20EC5AF6A3AA8AB85B04F11851AF344791E1D7F16954CB2A
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0020E3D0 Relevance: 74.1, APIs: 35, Strings: 7, Instructions: 569windowCOMMON
                              Download Yara Rule
                              APIs
                              • PathCompactPathExW.SHLWAPI(?,0030BF0C,00000050,00000000), ref: 0020E452
                              • LoadStringW.USER32(?,?,00000100), ref: 0020E479
                              • LoadStringW.USER32(?,?,00000100), ref: 0020E493
                              • SendMessageW.USER32 ref: 0020E9D4
                              • CoTaskMemFree.OLE32(?), ref: 0020E9E6
                              • CoTaskMemFree.OLE32(?), ref: 0020E9F4
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: FreeLoadPathStringTask$CompactMessageSend
                              • String ID: $ $%s | %s %s | %s$*.*$1 2 3 4 5 0 8$'$'
                              • API String ID: 1377716363-1226540248
                              • Opcode ID: 7bdb7f2cd8e351b1c8f73828e30692f98abc5d0ffa3b4092d261963fa2dcd913
                              • Instruction ID: 43f2bfe5ea43f05e024d2b89ca6a6915190efdffc6c4f0db4939406264d27579
                              • Opcode Fuzzy Hash: 7bdb7f2cd8e351b1c8f73828e30692f98abc5d0ffa3b4092d261963fa2dcd913
                              • Instruction Fuzzy Hash: E722E371614341ABEB20DF64DC49FAB73E8BB88304F054D1AF649D71D2DBB1E8948B52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 002104A0 Relevance: 73.9, APIs: 40, Strings: 2, Instructions: 406stringwindowmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpyW.KERNEL32 ref: 0021050D
                              • EnumWindows.USER32(002101F0,00000000), ref: 0021051D
                              • IsWindowEnabled.USER32(00000000), ref: 00210530
                              • IsIconic.USER32 ref: 00210542
                              • ShowWindowAsync.USER32(00000009,00000009), ref: 00210552
                              • SetForegroundWindow.USER32(00000000), ref: 00210565
                              • lstrlenW.KERNEL32(?), ref: 00210574
                              • GlobalAlloc.KERNEL32(00002042,00000000), ref: 00210587
                              • GlobalLock.KERNEL32 ref: 00210594
                              • lstrcpyW.KERNEL32 ref: 002105C5
                              • GlobalUnlock.KERNEL32(00000000), ref: 002105C8
                              • PostMessageW.USER32(00000233,00000233,00000000,00000000), ref: 002105DA
                              • StrChrW.SHLWAPI(?,0000000A,?,?), ref: 00210624
                              • MessageBoxW.USER32(00000000,?,00010024), ref: 0021064A
                              • GetShortPathNameW.KERNEL32 ref: 0021068C
                              • StrCpyNW.SHLWAPI(?,003098D0,00000104), ref: 002106B1
                              • StrCatBuffW.SHLWAPI(?,0027DDEC,00000104), ref: 002106C6
                              • StrCatBuffW.SHLWAPI(?,?,00000104), ref: 002106D3
                              • lstrcpyW.KERNEL32 ref: 002106E2
                              • ShellExecuteExW.SHELL32 ref: 00210763
                                • Part of subcall function 00204FE0: LoadStringW.USER32(0000A411,?,00000000,00000001), ref: 00204FF2
                                • Part of subcall function 00204FE0: LoadStringW.USER32(0000A411,?,?), ref: 00205008
                              • lstrcpynW.KERNEL32(?,00309AE0,00000100), ref: 00210803
                              • wsprintfW.USER32 ref: 0021083C
                              • DdeInitializeW.USER32 ref: 00210853
                              • DdeCreateStringHandleW.USER32 ref: 00210875
                              • DdeCreateStringHandleW.USER32 ref: 00210887
                              • DdeConnect.USER32(?,00000000,00000000,00000000), ref: 002108A0
                              • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00004050,000000FF,00000000,?,?,?,?,?,?,?,?,?), ref: 002108C4
                              • DdeClientTransaction.USER32(?,00000000), ref: 002108DA
                              • DdeDisconnect.USER32 ref: 002108E4
                              • DdeUninitialize.USER32(?), ref: 00210919
                              • GetShortPathNameW.KERNEL32 ref: 00210970
                              • StrCpyNW.SHLWAPI(?,003098D0,00000104,?,?,?,?), ref: 00210998
                              • StrCatBuffW.SHLWAPI(?,0027DDEC,00000104,?,?,?,?), ref: 002109B0
                              • StrCatBuffW.SHLWAPI(?,?,00000104,?,?,?,?), ref: 002109C0
                              • lstrcpyW.KERNEL32 ref: 002109CC
                              • ExpandEnvironmentStringsW.KERNEL32(?,?,00000138,?,?,?,?), ref: 002109E4
                              • lstrcpynW.KERNEL32(?,?,00000104,?,?,?,?), ref: 00210A00
                              • ShellExecuteExW.SHELL32(0000003C), ref: 00210A9C
                              • DialogBoxIndirectParamW.USER32 ref: 00210AC6
                              • LocalFree.KERNEL32(00000000), ref: 00210AD1
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: BuffStringlstrcpy$GlobalWindow$CreateExecuteHandleLoadMessageNamePathShellShortlstrcpynlstrlen$AllocAsyncClientConnectDialogDisconnectEnabledEnumEnvironmentExpandForegroundFreeIconicIndirectInitializeLocalLockParamPostShowStringsTransactionUninitializeUnlockWindowswsprintf
                              • String ID: <$<
                              • API String ID: 2206026705-213342407
                              • Opcode ID: b0447accf78f4e39f384d011f09afc5c6e600571a2c704142840227e80b20cc7
                              • Instruction ID: 548205551e9499149cafbd19b2eaaea84f8731912bbff6b4b0c2e74c09d28582
                              • Opcode Fuzzy Hash: b0447accf78f4e39f384d011f09afc5c6e600571a2c704142840227e80b20cc7
                              • Instruction Fuzzy Hash: B9F1F171514345ABEB20DF60EC88BEB77E8BF94704F004819F644971A1EBF199D8CB92
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00210AF0 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 129windowstringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpyW.KERNEL32 ref: 00210B66
                              • EnumWindows.USER32(Function_000201F0,?), ref: 00210B7E
                              • IsIconic.USER32 ref: 00210B91
                              • IsZoomed.USER32(00000000), ref: 00210B9F
                              • SendMessageW.USER32(?,00000112,0000F120,00000000), ref: 00210BB9
                              • SetForegroundWindow.USER32(00000000), ref: 00210BC9
                              • BringWindowToTop.USER32 ref: 00210BCF
                              • SetForegroundWindow.USER32 ref: 00210BD6
                              • GetSystemMetrics.USER32 ref: 00210BDA
                              • GetWindowRect.USER32 ref: 00210BEE
                              • GetWindowRect.USER32 ref: 00210BF9
                              • EqualRect.USER32 ref: 00210C43
                              • SystemParametersInfoW.USER32 ref: 00210C5F
                              • DrawAnimatedRects.USER32(?,00000003,?,?,?,?), ref: 00210C79
                              • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005,?,?), ref: 00210C90
                                • Part of subcall function 001F33B0: lstrlenW.KERNEL32(?,?), ref: 001F3516
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Window$Rect$ForegroundSystem$AnimatedBringDrawEnumEqualIconicInfoMessageMetricsParametersRectsSendWindowsZoomedlstrcpylstrlen
                              • String ID: Notepad3$Target Application$TargetApplicationWndClass$UseTargetApplication
                              • API String ID: 1367193657-1024641697
                              • Opcode ID: 1657ba5688eb273b6f53f8ea5b1f5335203e61975d4aa7db18891687fe52655d
                              • Instruction ID: 914ac9e86614acd3a7105afbe76646e796554aba67ce7ef0c988850984f5ccfb
                              • Opcode Fuzzy Hash: 1657ba5688eb273b6f53f8ea5b1f5335203e61975d4aa7db18891687fe52655d
                              • Instruction Fuzzy Hash: DA41A175648301AFD710DF24DC89F5B7BE8FB88704F00891AF585E6290DBB0D958CB52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00202F30 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 69windowstringmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(?,00000000,?,?,001F2773), ref: 00202F39
                                • Part of subcall function 00208460: ResolveLocaleName.KERNEL32(00308FF0,?,00000055), ref: 0020848A
                                • Part of subcall function 00208460: GetLocaleInfoEx.KERNEL32(?,20000001,00000002), ref: 002084AD
                              • FormatMessageW.KERNEL32 ref: 00202F63
                              • lstrlenW.KERNEL32(00000000,00000000,00308DE8), ref: 00202F7A
                              • lstrlenW.KERNEL32(00000000), ref: 00202F82
                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 00202F92
                              • GetFocus.USER32(00000000,00000000,?,?,00000000,00000000,?,?,001F2773), ref: 00202FBF
                              • MessageBoxExW.USER32 ref: 00202FDA
                              • LocalFree.KERNEL32(00000000,?,?,001F2773), ref: 00202FE1
                              • LocalFree.KERNEL32(?), ref: 00202FE7
                              Strings
                              • Error: '%s' failed with error id %d:%s., xrefs: 00202FAD
                              • MiniPath - ERROR, xrefs: 00202FD0
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Local$FreeLocaleMessagelstrlen$AllocErrorFocusFormatInfoLastNameResolve
                              • String ID: Error: '%s' failed with error id %d:%s.$MiniPath - ERROR
                              • API String ID: 2054022804-1590999508
                              • Opcode ID: fd00fb7012e1f1a87d41994bb3d2efbe895cd5cafe0fb65e9efe65183de0e0a7
                              • Instruction ID: 97fb43759a990f6ab2d04dcca2475b3dc7a61483fef7029f7aafba1939cae320
                              • Opcode Fuzzy Hash: fd00fb7012e1f1a87d41994bb3d2efbe895cd5cafe0fb65e9efe65183de0e0a7
                              • Instruction Fuzzy Hash: 92112675600305BFEB016F61EC0DF6B7BE8EF89B54F064429F908A2290D6B1DC148AB2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 002066E0 Relevance: 9.1, APIs: 6, Instructions: 75stringCOMMON
                              Download Yara Rule
                              APIs
                              • GetLocaleInfoEx.KERNEL32(00000000,0000000F,00000008,00000008,00000000,?,?,?,?,?,0020F240), ref: 0020670F
                              • lstrlenW.KERNEL32(?,74D0F6F0,7490BB20,?,?,?,?,0020F240), ref: 0020672C
                              • CharPrevW.USER32(?,00000000,?,?,?,?,0020F240), ref: 00206733
                              • lstrlenW.KERNEL32(00000000,?,?,?,?,0020F240), ref: 00206749
                              • CharPrevW.USER32(?,00000000,?,?,?,?,0020F240), ref: 0020676A
                              • lstrlenW.KERNEL32(?,?,?,?,?,0020F240), ref: 00206777
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: lstrlen$CharPrev$InfoLocale
                              • String ID:
                              • API String ID: 1002616787-0
                              • Opcode ID: c67d4f117b3e340f3cdde0b435dc4abdb7d80837c82521af38e6446583dd5726
                              • Instruction ID: 97fe863a3b2151711c6e019bb5e0c6241718c8742a1e9308976e3d42981565c6
                              • Opcode Fuzzy Hash: c67d4f117b3e340f3cdde0b435dc4abdb7d80837c82521af38e6446583dd5726
                              • Instruction Fuzzy Hash: 8B11D6766103165BD710EF74AC89A7FB7DCEF94350F414829F90AC3162EA35C86487A2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0025C823 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON
                              Download Yara Rule
                              APIs
                              • GetLocaleInfoW.KERNEL32(?,2000000B,0025CB41,00000002,00000000,?,?,?,0025CB41,?,00000000), ref: 0025C8BC
                              • GetLocaleInfoW.KERNEL32(?,20001004,0025CB41,00000002,00000000,?,?,?,0025CB41,?,00000000), ref: 0025C8E5
                              • GetACP.KERNEL32(?,?,0025CB41,?,00000000), ref: 0025C8FA
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: InfoLocale
                              • String ID: ACP$OCP
                              • API String ID: 2299586839-711371036
                              • Opcode ID: 26dc2f464d1812d0bdd04214bcabf045b44f4dd85342f706a672de33686af29e
                              • Instruction ID: 35feab6d98da819ffcc2a5eb3570abe978aa236262898a8f84294385f2f8583f
                              • Opcode Fuzzy Hash: 26dc2f464d1812d0bdd04214bcabf045b44f4dd85342f706a672de33686af29e
                              • Instruction Fuzzy Hash: C621B832A20306AEDB369F55CD08AA773A6EF50F62B768464EC0ADB100F772DD54D358
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0025C9F8 Relevance: 7.7, APIs: 5, Instructions: 183COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0024F9EE: GetLastError.KERNEL32(?,00000008,00258EFD), ref: 0024F9F2
                                • Part of subcall function 0024F9EE: SetLastError.KERNEL32(00000000,002807B0,00000024,0024E9BA), ref: 0024FA94
                              • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0025CB04
                              • IsValidCodePage.KERNEL32(00000000), ref: 0025CB4D
                              • IsValidLocale.KERNEL32(?,00000001), ref: 0025CB5C
                              • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0025CBA4
                              • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0025CBC3
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                              • String ID:
                              • API String ID: 415426439-0
                              • Opcode ID: 91c97b95bc26bb05c3923140b19ae5ddf508128105144bc6c36f2f26b49f0164
                              • Instruction ID: 7722e06ddcfd566a83dbfce3c8e99b5b4e0bd15cde797a02db91167047e952d9
                              • Opcode Fuzzy Hash: 91c97b95bc26bb05c3923140b19ae5ddf508128105144bc6c36f2f26b49f0164
                              • Instruction Fuzzy Hash: E151A171A2030AAFDF10DFA4DC46ABA77B8FF48742F244065ED00E7150F7B09A688B65
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 002084F0 Relevance: 7.6, APIs: 5, Instructions: 109memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetUserPreferredUILanguages.KERNEL32(00000008,?,00000000,00000000), ref: 00208541
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00208559
                              • GetUserPreferredUILanguages.KERNEL32(00000008,?,00000000,?), ref: 00208576
                              • LocalFree.KERNEL32(00000000), ref: 002085C8
                              • GetLocaleInfoEx.KERNEL32(00000000,0000005C,?,00000055), ref: 002085E0
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: LanguagesLocalPreferredUser$AllocFreeInfoLocale
                              • String ID:
                              • API String ID: 1113077726-0
                              • Opcode ID: d591e3b7e0c253a8695b8fabcf9ea2ddf8dae2f494bbf0ddb7375e9afc89c4b0
                              • Instruction ID: 310cd6bf19cc77bee7aa38eb9f13fa682b284f78b0619758cbffdc4eea30e622
                              • Opcode Fuzzy Hash: d591e3b7e0c253a8695b8fabcf9ea2ddf8dae2f494bbf0ddb7375e9afc89c4b0
                              • Instruction Fuzzy Hash: 01318B712183069FE720DF14EC45B6B77E8EB94711F81842EF999C62C1EB74D918CBA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0025C076 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0024F9EE: GetLastError.KERNEL32(?,00000008,00258EFD), ref: 0024F9F2
                                • Part of subcall function 0024F9EE: SetLastError.KERNEL32(00000000,002807B0,00000024,0024E9BA), ref: 0024FA94
                              • GetACP.KERNEL32(?,?,?,?,?,?,0024D613,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 0025C137
                              • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0024D613,?,?,?,00000055,?,-00000050,?,?), ref: 0025C162
                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0025C2C5
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: ErrorLast$CodeInfoLocalePageValid
                              • String ID: utf8
                              • API String ID: 607553120-905460609
                              • Opcode ID: d6f367adad92b56025a0cfb8d3176511026e613b2a8ccb7142afb81552ccd160
                              • Instruction ID: d642bdcbe5e117f83c9346c509996543efde447cd4a9b86024690020e09307a3
                              • Opcode Fuzzy Hash: d6f367adad92b56025a0cfb8d3176511026e613b2a8ccb7142afb81552ccd160
                              • Instruction Fuzzy Hash: CF710671620306AEDB24AF75CC46BB773A8EF45712F244029FD05DB181FAB4DD688A98
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00256446 Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,00000000,?,00000000), ref: 002564E1
                              • FindNextFileW.KERNEL32(00000000,?), ref: 0025655C
                              • FindClose.KERNEL32(00000000), ref: 0025657E
                              • FindClose.KERNEL32(00000000), ref: 002565A1
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Find$CloseFile$FirstNext
                              • String ID:
                              • API String ID: 1164774033-0
                              • Opcode ID: 640a41884c9ded491ae03e42cdfa349c202737e1b0afde10847fc03a42ce0970
                              • Instruction ID: a71984607c6bbd18ae1aaf4fc73d8f99af59fa2928f175713d7effc6ea62ce77
                              • Opcode Fuzzy Hash: 640a41884c9ded491ae03e42cdfa349c202737e1b0afde10847fc03a42ce0970
                              • Instruction Fuzzy Hash: 6841D87192052AAFDF20DF68DC8C9BAB7B9EB84316F844195EC05D3144F6309E988F54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00206080 Relevance: 6.1, APIs: 4, Instructions: 102stringcomCOMMON
                              Download Yara Rule
                              APIs
                              • CoCreateInstance.OLE32(0027378C,00000000,00000001,0026FD7C,?,0000C356,?), ref: 002060AF
                              • lstrcpyW.KERNEL32 ref: 002060DB
                              • ExpandEnvironmentStringsW.KERNEL32(?,?,00000138), ref: 00206152
                              • lstrcpynW.KERNEL32(?,?,?), ref: 0020616C
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: CreateEnvironmentExpandInstanceStringslstrcpylstrcpyn
                              • String ID:
                              • API String ID: 4041286039-0
                              • Opcode ID: 65626e7d631a1135c373e15a84d1651206bdc98b51f655b53db254ce185d5169
                              • Instruction ID: 7856d9b878c2fe6adcc43709acb0ed39dfaf731c4b358639401111d1c59e2f19
                              • Opcode Fuzzy Hash: 65626e7d631a1135c373e15a84d1651206bdc98b51f655b53db254ce185d5169
                              • Instruction Fuzzy Hash: 64315B71204342AFD720DF58DC88EABB7E9EFC8704F004829B649D7291EB71E915CB62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00212503 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • VirtualQuery.KERNEL32(80000000,00212448,0000001C,0021263D,00000000,?,?,?,?,?,?,?,00212448,00000004,003076E4,00212993), ref: 00212514
                              • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00212448,00000004,003076E4,00212993), ref: 0021252F
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: InfoQuerySystemVirtual
                              • String ID: D
                              • API String ID: 401686933-2746444292
                              • Opcode ID: 3be7ba8addaa3bec54fa1209f0c659fb4609f16934fac3f08cba6586856af745
                              • Instruction ID: b94d38793d7cce5f3d0753fe3fc1330516cf1819171d309efe48fe002ff4ea75
                              • Opcode Fuzzy Hash: 3be7ba8addaa3bec54fa1209f0c659fb4609f16934fac3f08cba6586856af745
                              • Instruction Fuzzy Hash: 3201F732A10109BBDF18DE29DC49BDD7BEAAFD4324F0CC220FD19E7140E674D9658680
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00208460 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                              Download Yara Rule
                              APIs
                              • ResolveLocaleName.KERNEL32(00308FF0,?,00000055), ref: 0020848A
                              • GetLocaleInfoEx.KERNEL32(?,20000001,00000002), ref: 002084AD
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Locale$InfoNameResolve
                              • String ID: en-US
                              • API String ID: 2669342117-1228076028
                              • Opcode ID: ddfb8c45bc369bd05d773ac1d7cd7d8fa21b2095af094fa131e69e224391a57d
                              • Instruction ID: d422f09cba87f041c47ff4458b6616f0000e374f193b93e58c9fa9c40c4dbddf
                              • Opcode Fuzzy Hash: ddfb8c45bc369bd05d773ac1d7cd7d8fa21b2095af094fa131e69e224391a57d
                              • Instruction Fuzzy Hash: 9EF0C8742047029BE320DF20EC5AB6B33E4BF54704F404418B589C32D2EB74D954DB47
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00250EC2 Relevance: 4.8, APIs: 3, Instructions: 337COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 37471b2442589230ee815a111edd3400550805fd9c89e2740b036a706190acc6
                              • Instruction ID: 04f75b57d505f8d8bcd90bda38b86c9b64312e14fc7436b7a13a09c7525396b4
                              • Opcode Fuzzy Hash: 37471b2442589230ee815a111edd3400550805fd9c89e2740b036a706190acc6
                              • Instruction Fuzzy Hash: C7B18E329202469FDB15CF68C881BFEBBE5EF15301F1482A6ED05AB241C2749D75CBA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0025C4A7 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0024F9EE: GetLastError.KERNEL32(?,00000008,00258EFD), ref: 0024F9F2
                                • Part of subcall function 0024F9EE: SetLastError.KERNEL32(00000000,002807B0,00000024,0024E9BA), ref: 0024FA94
                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0025C4FB
                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0025C545
                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0025C60B
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: InfoLocale$ErrorLast
                              • String ID:
                              • API String ID: 661929714-0
                              • Opcode ID: 00341d476312982aeca6604fe8281327f05a2ac50dd73abb1818bbeca47dcf1a
                              • Instruction ID: d432855d8edf01f8cd83b36911ac80fd5435f7d46154954fd694c90ecd30b02d
                              • Opcode Fuzzy Hash: 00341d476312982aeca6604fe8281327f05a2ac50dd73abb1818bbeca47dcf1a
                              • Instruction Fuzzy Hash: 4161B0715603079FDB289F24CC82BBA73A8EF44302F204079ED15D6185F774EAA9DB54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00240E7D Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00240F75
                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00240F7F
                              • UnhandledExceptionFilter.KERNEL32(-00000227,?,?,?,?,?,00000000), ref: 00240F8C
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                              • String ID:
                              • API String ID: 3906539128-0
                              • Opcode ID: 71a33f04448d5d885d038564024c00d35be99037b736d4374de8d810e32e6379
                              • Instruction ID: 5264f234fa8fd7e8797382c36cae7b7ea01a55c1e834bc0c2e8a45c38c2c8706
                              • Opcode Fuzzy Hash: 71a33f04448d5d885d038564024c00d35be99037b736d4374de8d810e32e6379
                              • Instruction Fuzzy Hash: 8631C274911229ABCB21DF65D9887CDBBB8AF18310F5041EAE40CA6250EB709BD58F44
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0021114B Relevance: 3.0, APIs: 2, Instructions: 38COMMON
                              Download Yara Rule
                              APIs
                              • LCIDToLocaleName.KERNEL32(?,?,00000055,08000000), ref: 0021116B
                              • GetLocaleInfoEx.KERNEL32(?,0000006D,00000000,00000055), ref: 0021117D
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Locale$InfoName
                              • String ID:
                              • API String ID: 3347482803-0
                              • Opcode ID: 0f6d6cb87c55f6d27cbe107ecd33f77be761ef93ac9240a47b3b7e98173a016f
                              • Instruction ID: e9c335450dc26e51f2f71367fc91916d3b5979dc6611c9fec662bc5daf7f4ba7
                              • Opcode Fuzzy Hash: 0f6d6cb87c55f6d27cbe107ecd33f77be761ef93ac9240a47b3b7e98173a016f
                              • Instruction Fuzzy Hash: 80F0903172132ABBEB205E259C09BFB779DEF05751F040411BB19D61D0E7B0C870DAA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0023901B Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID:
                              • String ID: 0~G#$~G#
                              • API String ID: 0-2766446049
                              • Opcode ID: cf1e8edd0be6e0d1252b84e73fa9b89ebd01bde8fcd76d69ca23bf2f27c69eb6
                              • Instruction ID: bf6d2c0b1cbf659b60fab484b1ad0dbd66be7a1229d91298640cb1ff5198c6bf
                              • Opcode Fuzzy Hash: cf1e8edd0be6e0d1252b84e73fa9b89ebd01bde8fcd76d69ca23bf2f27c69eb6
                              • Instruction Fuzzy Hash: ACC1F0F0A24A078FCB28CF68C484ABEB7B1AF47314F144659D89797291C7B1ECA5CB41
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00238C8D Relevance: 2.8, Strings: 2, Instructions: 344COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID:
                              • String ID: 0pD#$pD#
                              • API String ID: 0-1409084123
                              • Opcode ID: 0d7c395462b7c3073a13db5f9fd99b49a92b9eea959eca5ea37c829c51dff540
                              • Instruction ID: 417152af1b271ecc30bd22f52913eb1ee1b8202abff52a715ab7ebcee383ef2d
                              • Opcode Fuzzy Hash: 0d7c395462b7c3073a13db5f9fd99b49a92b9eea959eca5ea37c829c51dff540
                              • Instruction Fuzzy Hash: 1CC1BEB052070B8FCB28CF28C49067EBBB2BF55304F644A5AF4569F691CB70AD66CB51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 002382A6 Relevance: 2.8, Strings: 2, Instructions: 314COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID:
                              • String ID: <#$0
                              • API String ID: 0-1769299206
                              • Opcode ID: e63fcfdcc9b5effa5350f98653edbb8fcd73b8ca4d7bacb89aeea191c82581e0
                              • Instruction ID: c9eb5008b832c103ccbd955536ccd5f34742491a419ccb970f9a205877515681
                              • Opcode Fuzzy Hash: e63fcfdcc9b5effa5350f98653edbb8fcd73b8ca4d7bacb89aeea191c82581e0
                              • Instruction Fuzzy Hash: 64B1DEF0A2074B8BCF248F68C5916BFB7A5AB40700F14065AF952AF791DF30E962CB51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0025EA87 Relevance: 2.8, APIs: 1, Instructions: 1260COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: __floor_pentium4
                              • String ID:
                              • API String ID: 4168288129-0
                              • Opcode ID: f46479336b901083eb5e4999b363af45a0663440b2162fc75a1d15c8070ee0dd
                              • Instruction ID: 2931838407d8ae1dcc6ce4723ce6b9cf647d5b4df1e36af6502ec53fdb791870
                              • Opcode Fuzzy Hash: f46479336b901083eb5e4999b363af45a0663440b2162fc75a1d15c8070ee0dd
                              • Instruction Fuzzy Hash: E2B27B71E246298FDF65CE28CD407EAB3B9EB48306F1541EAD84DE3240E774AE958F44
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 002685C0 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,002685BB,?,?,00000008,?,?,002680B0,00000000), ref: 002687ED
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: ExceptionRaise
                              • String ID:
                              • API String ID: 3997070919-0
                              • Opcode ID: 61047ec39a3b45c9f5d33526a1a6164e4a18c72a352decd006f86d2a1558c8d9
                              • Instruction ID: 228be0a3b9c1812df9f99047261d504b8fa07f69dc9572a535ef3d320b806b94
                              • Opcode Fuzzy Hash: 61047ec39a3b45c9f5d33526a1a6164e4a18c72a352decd006f86d2a1558c8d9
                              • Instruction Fuzzy Hash: DBB14E35620609CFDB19CF28C486B657BE0FF45364F658658E8D9CF2A1CB35E9A2CB40
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0025605C Relevance: 1.7, APIs: 1, Instructions: 191COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f8ba2e9c833ac33b10b11fb4a95d9beb37ae1cad4c7189c6e92f501ebc62b90a
                              • Instruction ID: 40349d576ec5dbbf300a55ac3d4d4319dc953bd801ed19a789098e097e6a4ca2
                              • Opcode Fuzzy Hash: f8ba2e9c833ac33b10b11fb4a95d9beb37ae1cad4c7189c6e92f501ebc62b90a
                              • Instruction Fuzzy Hash: 9A510575810219AFDB24DFB8CC89ABAB7B9EF44311F54429DE809D3201EA319E988F54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0023A5A5 Relevance: 1.6, Strings: 1, Instructions: 392COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID:
                              • String ID: 0
                              • API String ID: 0-4108050209
                              • Opcode ID: 9b1808beae1a5cc4127e0bba3ff0ed00e4decd9d9dd9a578e6bc96abff130d8b
                              • Instruction ID: 661dcc29d0c91f2cd1f3f8994c903f30e408b273dc7c810398ede20a19433aec
                              • Opcode Fuzzy Hash: 9b1808beae1a5cc4127e0bba3ff0ed00e4decd9d9dd9a578e6bc96abff130d8b
                              • Instruction Fuzzy Hash: 7CE1C0B4A206068FCB24CF28C481AAEB7F5FF45310F24466DD4D6AB290D771AD66CF52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0023A184 Relevance: 1.6, Strings: 1, Instructions: 388COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID:
                              • String ID: 0
                              • API String ID: 0-4108050209
                              • Opcode ID: 31543dd8882138299cb00c5e12289453b8e572677b930b1e98a355b742c0d9c9
                              • Instruction ID: 2b78fd35159899f9cc94d9a5f0d5ff6ca9ca51951a496a91a8b5b317f10ef439
                              • Opcode Fuzzy Hash: 31543dd8882138299cb00c5e12289453b8e572677b930b1e98a355b742c0d9c9
                              • Instruction Fuzzy Hash: ABE1D0B0A206068FCB24CF68C480A6EB7F1FF45710F24466DD9DA9B290D771ED66CB52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0023A9D5 Relevance: 1.6, Strings: 1, Instructions: 388COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID:
                              • String ID: 0
                              • API String ID: 0-4108050209
                              • Opcode ID: 626e04b1d7a230428c079b6d52e8852cf540cf4ce154959ae44b22d132dc7201
                              • Instruction ID: 87664a05bf7d9c226e0f80514aff7ac22f7b8b40db86a71bd48e711a7095c7bf
                              • Opcode Fuzzy Hash: 626e04b1d7a230428c079b6d52e8852cf540cf4ce154959ae44b22d132dc7201
                              • Instruction Fuzzy Hash: F4E1E3B06206068FCB28CF68C580A6EB7F2FF55314F24466ED4D69B290D770ED66CB52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0025C6FA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0024F9EE: GetLastError.KERNEL32(?,00000008,00258EFD), ref: 0024F9F2
                                • Part of subcall function 0024F9EE: SetLastError.KERNEL32(00000000,002807B0,00000024,0024E9BA), ref: 0024FA94
                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0025C74E
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: ErrorLast$InfoLocale
                              • String ID:
                              • API String ID: 3736152602-0
                              • Opcode ID: 52e651e5e199874f14f7c8ed0013a655c94cf4ea0aebdac6887a2113f70ecd7a
                              • Instruction ID: f5f25c08e06f92384f1a20d7c69402242607044424a9c287f6407eb0da7aabdd
                              • Opcode Fuzzy Hash: 52e651e5e199874f14f7c8ed0013a655c94cf4ea0aebdac6887a2113f70ecd7a
                              • Instruction Fuzzy Hash: 8E21AF72620207AFDB28AE25DC42EBAB3ACEF48715B20007AFD01C6541FB749D689F54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 002385EE Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID:
                              • String ID: 0
                              • API String ID: 0-4108050209
                              • Opcode ID: d82e573fe0daab9ec517099c81e403af63d8b88cddafb1fd77f2f73fec54c676
                              • Instruction ID: a358063516ae522b84c8d9d0be5858515b82bda1181a731d392e5f2c62093476
                              • Opcode Fuzzy Hash: d82e573fe0daab9ec517099c81e403af63d8b88cddafb1fd77f2f73fec54c676
                              • Instruction Fuzzy Hash: 59B1B1F4A2070B9BCF248E6885966BEB7B5AB44304F24061AF492AF291DF70D961CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00238945 Relevance: 1.6, Strings: 1, Instructions: 314COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID:
                              • String ID: 0
                              • API String ID: 0-4108050209
                              • Opcode ID: 951902f7928135c0c0cc96eee058a7cc4af778838f310884c302fe4ff335c6f5
                              • Instruction ID: 4920fafcd28196abc750597741c09935fbb35384f377230f506f278305dae300
                              • Opcode Fuzzy Hash: 951902f7928135c0c0cc96eee058a7cc4af778838f310884c302fe4ff335c6f5
                              • Instruction Fuzzy Hash: 39B1A2F0A2070B8BCB288F68C5956BEB7B1AB05304F14091AF552DF391CF75A966CB52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0025C381 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0024F9EE: GetLastError.KERNEL32(?,00000008,00258EFD), ref: 0024F9F2
                                • Part of subcall function 0024F9EE: SetLastError.KERNEL32(00000000,002807B0,00000024,0024E9BA), ref: 0024FA94
                              • EnumSystemLocalesW.KERNEL32(0025C4A7,00000001,00000000,?,-00000050,?,0025CAD8,00000000,?,?,?,00000055,?), ref: 0025C3F3
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: ErrorLast$EnumLocalesSystem
                              • String ID:
                              • API String ID: 2417226690-0
                              • Opcode ID: 7ef6331f2195a3c9b5a88c08aca7a85a29783c457e6344f1b103dde5f130dae6
                              • Instruction ID: f56c75e2174b16b8d71d5d5102656bdeb6c7f710d81d5053bf8d3cdff088b162
                              • Opcode Fuzzy Hash: 7ef6331f2195a3c9b5a88c08aca7a85a29783c457e6344f1b103dde5f130dae6
                              • Instruction Fuzzy Hash: A211E93A2107055FDB189F39C8A19BAB7A2FF8435AB25843DED8687A40F3716956CB40
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0025C929 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0024F9EE: GetLastError.KERNEL32(?,00000008,00258EFD), ref: 0024F9F2
                                • Part of subcall function 0024F9EE: SetLastError.KERNEL32(00000000,002807B0,00000024,0024E9BA), ref: 0024FA94
                              • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0025C6C3,00000000,00000000,?), ref: 0025C955
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: ErrorLast$InfoLocale
                              • String ID:
                              • API String ID: 3736152602-0
                              • Opcode ID: 12337edef071c5d1ace02b822c2b3e7df18db7227c71fe935b3fb39455ba18dc
                              • Instruction ID: 96931a1e24713916d08b8fe9c81add8a2dd93894b60921fe011bfb69e905cd8a
                              • Opcode Fuzzy Hash: 12337edef071c5d1ace02b822c2b3e7df18db7227c71fe935b3fb39455ba18dc
                              • Instruction Fuzzy Hash: E6F0F432620212BFDB289E308C06BBA77A8EB40765F254438EC46A3180FA70FE55C6D4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0025C41C Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0024F9EE: GetLastError.KERNEL32(?,00000008,00258EFD), ref: 0024F9F2
                                • Part of subcall function 0024F9EE: SetLastError.KERNEL32(00000000,002807B0,00000024,0024E9BA), ref: 0024FA94
                              • EnumSystemLocalesW.KERNEL32(0025C6FA,00000001,00000000,?,-00000050,?,0025CA9C,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0025C466
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: ErrorLast$EnumLocalesSystem
                              • String ID:
                              • API String ID: 2417226690-0
                              • Opcode ID: 40e558451cb2c433f15d363b8e3b7f2f6ea993aea1f6a3dfc1f4f2e831997516
                              • Instruction ID: 649dfbfe23bf8c7c34c11bd119d1006f5e9fcfa14186be228349cb6480a6b288
                              • Opcode Fuzzy Hash: 40e558451cb2c433f15d363b8e3b7f2f6ea993aea1f6a3dfc1f4f2e831997516
                              • Instruction Fuzzy Hash: C0F046362103055FCB246F389CA1E7A7B95FFC1768B25843CFD428B690E2B19C02CA04
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00210EC9 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                              Download Yara Rule
                              APIs
                              • GetLocaleInfoW.KERNEL32(00000404,00000008,?,00000020), ref: 00210EEE
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: InfoLocale
                              • String ID:
                              • API String ID: 2299586839-0
                              • Opcode ID: 1f7e914ca491b858a541d5baa4d3d7b48fbd7d4cd7978c273b50b457ae9aafa8
                              • Instruction ID: 1c5fff185b64a4067777a14c1c21abd35dd15df6485a98535aa62f393964a02d
                              • Opcode Fuzzy Hash: 1f7e914ca491b858a541d5baa4d3d7b48fbd7d4cd7978c273b50b457ae9aafa8
                              • Instruction Fuzzy Hash: AEF0E2B5AA020867EB14EE749C0AF9E77ECAB10B00F010120BA05E72C0EA70AE098651
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00252B14 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00255ACF: EnterCriticalSection.KERNEL32(?,?,0024A8FA,00000000,00280380,0000000C,0024A8C1,?,?,00252AD7,?,?,0024FB8C,00000001,00000364,?), ref: 00255ADE
                              • EnumSystemLocalesW.KERNEL32(00252B01,00000001,002806B0,0000000C,00253443,00000000), ref: 00252B4C
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: CriticalEnterEnumLocalesSectionSystem
                              • String ID:
                              • API String ID: 1272433827-0
                              • Opcode ID: 2f071313d23444c3849cb3a45bb41e35ceffc925fda26e08846e13218a43bbb7
                              • Instruction ID: 43838016285b2ee8cc70d8d6b9539a8839bd35cb8bc11e997ae50e859454b6f1
                              • Opcode Fuzzy Hash: 2f071313d23444c3849cb3a45bb41e35ceffc925fda26e08846e13218a43bbb7
                              • Instruction Fuzzy Hash: 4DF03776A20210EFDB01EF98E852B9C7BF0FB45B25F10812AF8009B2E1DB7559188F84
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0025C318 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0024F9EE: GetLastError.KERNEL32(?,00000008,00258EFD), ref: 0024F9F2
                                • Part of subcall function 0024F9EE: SetLastError.KERNEL32(00000000,002807B0,00000024,0024E9BA), ref: 0024FA94
                              • EnumSystemLocalesW.KERNEL32(0025C271,00000001,00000000,?,?,0025CAFA,-00000050,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 0025C34F
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: ErrorLast$EnumLocalesSystem
                              • String ID:
                              • API String ID: 2417226690-0
                              • Opcode ID: 3c3af1f6783102e619215f7d659ace8f67ec6762d4b3c99af4d8944687a961a8
                              • Instruction ID: 37dcf6039c4bc761a8716dfa1add0a4e010468e25e897a0f9936cb9c497e90c2
                              • Opcode Fuzzy Hash: 3c3af1f6783102e619215f7d659ace8f67ec6762d4b3c99af4d8944687a961a8
                              • Instruction Fuzzy Hash: 9CF05C393003056BCF04AF35DC55A6A7F95EFC1711B174058EE09CB150D2719846C750
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00252CA5 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                              Download Yara Rule
                              APIs
                              • EnumSystemLocalesW.KERNEL32(Function_00062B01,00000001), ref: 00252CBF
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: EnumLocalesSystem
                              • String ID:
                              • API String ID: 2099609381-0
                              • Opcode ID: 81608bc7bf4b257b8dd5ac122cee55ea1e993845a2f8368f83bde28fe1e1dc5e
                              • Instruction ID: f487897200f2adf506f162280eb0c69d57e04c15ef43b49f65f9509385e3effd
                              • Opcode Fuzzy Hash: 81608bc7bf4b257b8dd5ac122cee55ea1e993845a2f8368f83bde28fe1e1dc5e
                              • Instruction Fuzzy Hash: 90D0C935555304EBDB059F51FC6AE143F6AF781F29F20441AFC48072A0EFB26858CA84
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0021132D Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00211311: FindResourceExW.KERNEL32(00000000,MUI,00000001,00000000,?,0021133C,00000000,00000000,?,0021144E,00000000,?,?,?,00211515,?), ref: 00211323
                              • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,0021144E,00000000,?,?,?,00211515,?,00000000,00000000,00000000), ref: 00211344
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Resource$FindLoad
                              • String ID:
                              • API String ID: 2619053042-0
                              • Opcode ID: 3fe22420f3df43f2d893f6c7ebe46e80a09302bbb7136e0b14685a5bd1ae3b52
                              • Instruction ID: 9560c61a8c1adf47bb74df31f042f83a825c0ab8e300653ad4f62f4b05a4f211
                              • Opcode Fuzzy Hash: 3fe22420f3df43f2d893f6c7ebe46e80a09302bbb7136e0b14685a5bd1ae3b52
                              • Instruction Fuzzy Hash: 17C0807100010877DF101F52DC09FD67F5DDB61350F008060FE1944561CB71DC71E554
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00252C73 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                              Download Yara Rule
                              APIs
                              • EnumSystemLocalesW.KERNEL32(Function_00062B01,00000001), ref: 00252C89
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: EnumLocalesSystem
                              • String ID:
                              • API String ID: 2099609381-0
                              • Opcode ID: 935d7d5ff6434cb5374f43e8cdcf81b166a8a7320522b86b2b545107afa768e2
                              • Instruction ID: 92d3a27f26619c0e9af76953a48f055f7d4e3012ba3eee283afaf1303ffcf67a
                              • Opcode Fuzzy Hash: 935d7d5ff6434cb5374f43e8cdcf81b166a8a7320522b86b2b545107afa768e2
                              • Instruction Fuzzy Hash: 18D0C974511300DFCB059F20EC6AA103B65F746B09B20045EF8414B2B0DBB12458DB00
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0025897F Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: HeapProcess
                              • String ID:
                              • API String ID: 54951025-0
                              • Opcode ID: 29476937ab208233168e5152c034c6950795823c81cd8bc47004cd13440fefad
                              • Instruction ID: eb50136e5656104462533f05cb76aa4ec372110b2686e1823b444fc21b426a88
                              • Opcode Fuzzy Hash: 29476937ab208233168e5152c034c6950795823c81cd8bc47004cd13440fefad
                              • Instruction Fuzzy Hash: BAA012702031028F87804F307B1821836DD554428070140159404C0020DB2440404702
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0022107A Relevance: .5, Instructions: 481COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 12d54c733aee84828627f5400026a11c904d7f7916a63c5f631050f052f14598
                              • Instruction ID: 4c15a0f1ff4599626d97b757533827796e0a595b8a78d106b1ced0fa18b460a6
                              • Opcode Fuzzy Hash: 12d54c733aee84828627f5400026a11c904d7f7916a63c5f631050f052f14598
                              • Instruction Fuzzy Hash: 30126371A10235AFDF25CF58D880BAAB7B9BF55300F5441EAD949EB244D7709EA0CF41
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00224590 Relevance: .4, Instructions: 386COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0dc8ca2ba6f8e2a455dfcff31a0ef89855bc6d640c8da1bd8937e28b368376f4
                              • Instruction ID: 5789dbe4355f7e5b60def19ab72a5bfcffdb965cce82e957734f16173b7f3064
                              • Opcode Fuzzy Hash: 0dc8ca2ba6f8e2a455dfcff31a0ef89855bc6d640c8da1bd8937e28b368376f4
                              • Instruction Fuzzy Hash: 0BE19271A10239AFDB25EF58EC80BAAB7B8FF46304F1441DAD949A7245D7709E90CF41
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00224150 Relevance: .3, Instructions: 259COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eb8c711de2f5b0a225f0746952250f46c80d7b35e5133e4aa317438e4a40ad3b
                              • Instruction ID: 109c2a585dbc51614f4b58b710850b190381d8f0a5634cf77795b25e77cbd7a2
                              • Opcode Fuzzy Hash: eb8c711de2f5b0a225f0746952250f46c80d7b35e5133e4aa317438e4a40ad3b
                              • Instruction Fuzzy Hash: D0A14F71A101399BDB24EF58E880BEDB7F5FF89304F6541EAD909AB241D7709E918F80
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0024A542 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ed5555326bbdee18ba68e0189cb002a21aae07435ab097ea66acc68cd25ee0a2
                              • Instruction ID: e9995fe60cb8cc6a43dcf1d09d4830e488c553d2b142af1839e9e8962993264f
                              • Opcode Fuzzy Hash: ed5555326bbdee18ba68e0189cb002a21aae07435ab097ea66acc68cd25ee0a2
                              • Instruction Fuzzy Hash: B5C04C345A294546CE2DEE1883717B53375B791FC2FD4148CCD0A4B682C52EDD96DA12
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0020EDA0 Relevance: 103.6, APIs: 53, Strings: 6, Instructions: 387stringwindowCOMMON
                              Download Yara Rule
                              APIs
                              • SetCurrentDirectoryW.KERNEL32(?,?,?), ref: 0020EDCC
                              • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?), ref: 0020EDE8
                              • PathFileExistsW.SHLWAPI(?), ref: 0020EDF2
                              • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0020EE09
                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0020EE17
                              • LoadCursorW.USER32(00000000,00007F02), ref: 0020EE3B
                              • SetCursor.USER32(00000000), ref: 0020EE42
                              • DestroyCursor.USER32(00000000), ref: 0020EE49
                              • SendMessageW.USER32(00001027,00000000,00000000), ref: 0020EE64
                              • GetCurrentDirectoryW.KERNEL32(0000012C,0030BF0C), ref: 0020EE74
                              • PathIsRootW.SHLWAPI(0030BF0C), ref: 0020EEA6
                              • SHGetFileInfoW.SHELL32(0030BF0C,00000000,?,000002B4,00000200), ref: 0020EEE0
                              • PathFindFileNameW.SHLWAPI(0030BF0C), ref: 0020EEF8
                              • lstrcpyW.KERNEL32 ref: 0020EF07
                              • lstrcpyW.KERNEL32 ref: 0020EF2D
                              • PathRemoveFileSpecW.SHLWAPI(?), ref: 0020EF37
                              • lstrcatW.KERNEL32(?, - [), ref: 0020EF50
                              • lstrcatW.KERNEL32(?,?), ref: 0020EF62
                              • lstrlenW.KERNEL32(00000000), ref: 0020EF77
                              • lstrcatW.KERNEL32(?,0027E27C), ref: 0020EF95
                              • SetWindowTextW.USER32(?,?), ref: 0020EFC2
                              • lstrcmpW.KERNEL32(0030D39C,*.*,?,?), ref: 0020EFD2
                              • SendMessageW.USER32(00001024,00000000,00000000), ref: 0020F021
                              • SendMessageW.USER32(00000440,0000A41E,00000020), ref: 0020F0AF
                              • GetPropW.USER32(?,DirListData), ref: 0020F0F8
                              • ResetEvent.KERNEL32(?,?,?,?,?,?,?), ref: 0020F10F
                              • ResetEvent.KERNEL32(?,?,?,?,?,?,?), ref: 0020F117
                              • GetPropW.USER32(DirListData), ref: 0020F134
                              • SHGetPathFromIDListW.SHELL32(?,?), ref: 0020F141
                              • lstrcpyW.KERNEL32 ref: 0020F158
                              • SetCurrentDirectoryW.KERNEL32(0030BF0C,?,?,?,?,?,?,?,?,?), ref: 0020F163
                              • SendMessageW.USER32(0000102B,00000000,?), ref: 0020F193
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Directory$CurrentPath$FileMessageSend$Cursorlstrcatlstrcpy$EventPropReset$DestroyExistsFindFromInfoListLoadNameRemoveRootSpecTextWindowWindowslstrcmplstrlen
                              • String ID: $ $ - [$*.*$DirListData$\
                              • API String ID: 2993255122-2785365950
                              • Opcode ID: ee6b0bf085fb1463b413a33bda1267a098158e9aeff17fcb9b460e766878248f
                              • Instruction ID: 16c6b83e7212e8ae608764a25af1e363a2d369fc482bdb4daf062b327e8172df
                              • Opcode Fuzzy Hash: ee6b0bf085fb1463b413a33bda1267a098158e9aeff17fcb9b460e766878248f
                              • Instruction Fuzzy Hash: FFE1F374660345ABDB219F60FC4AFAA7BACFB04704F05482AF644961E2D7F19854CF52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 001FEE20 Relevance: 72.3, APIs: 48, Instructions: 305windowCOMMON
                              Download Yara Rule
                              APIs
                              • IsDlgButtonChecked.USER32(?,?), ref: 001FEE54
                              • GetDlgItem.USER32 ref: 001FEE69
                              • EnableWindow.USER32(00000000), ref: 001FEE72
                              • GetDlgItem.USER32 ref: 001FEE79
                              • EnableWindow.USER32(00000000), ref: 001FEE7C
                              • GetDlgItem.USER32 ref: 001FEE8E
                              • EnableWindow.USER32(00000000), ref: 001FEE97
                              • GetDlgItem.USER32 ref: 001FEE9E
                              • EnableWindow.USER32(00000000), ref: 001FEEA1
                              • IsDlgButtonChecked.USER32(?,?), ref: 001FEEBD
                              • GetDlgItem.USER32 ref: 001FEED2
                              • EnableWindow.USER32(00000000), ref: 001FEEDB
                              • GetDlgItem.USER32 ref: 001FEEE2
                              • EnableWindow.USER32(00000000), ref: 001FEEE5
                              • SendMessageW.USER32(?,00000080,00000000,?), ref: 001FEF2D
                              • CheckDlgButton.USER32(?,00000067,00000001), ref: 001FEF47
                              • CheckDlgButton.USER32(?,00000068,00000001), ref: 001FEF57
                              • CheckDlgButton.USER32(?,00000069,00000001), ref: 001FEF67
                              • CheckDlgButton.USER32(?,0000006A,00000001), ref: 001FEF77
                              • CheckDlgButton.USER32(?,00000064,00000001), ref: 001FEF8E
                              • CheckRadioButton.USER32 ref: 001FEFA6
                              • CheckDlgButton.USER32(?,0000006B,00000001), ref: 001FEFEE
                              • CheckRadioButton.USER32 ref: 001FF000
                              • IsDlgButtonChecked.USER32(?,00000067), ref: 001FF074
                              • IsDlgButtonChecked.USER32(?,00000068), ref: 001FF084
                              • IsDlgButtonChecked.USER32(?,00000069), ref: 001FF094
                              • IsDlgButtonChecked.USER32(?,0000006A), ref: 001FF0A4
                              • IsDlgButtonChecked.USER32(?,00000064), ref: 001FF0B4
                              • IsDlgButtonChecked.USER32(?,00000065), ref: 001FF0BD
                              • IsDlgButtonChecked.USER32(?,0000006B), ref: 001FF0DA
                              • IsDlgButtonChecked.USER32(?,0000006C), ref: 001FF0E3
                              • SetWindowLongW.USER32 ref: 001FF102
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Button$Checked$Check$Window$EnableItem$Radio$LongMessageSend
                              • String ID:
                              • API String ID: 1884937005-0
                              • Opcode ID: 071c950896fd1c63822ecbdd6a1bac051aaca78b5045db162a1ad131b59ced37
                              • Instruction ID: 73322f676efc7f2aff1e6943094a123d1fd05fb679bf5484ade3a9e8d3c2dea8
                              • Opcode Fuzzy Hash: 071c950896fd1c63822ecbdd6a1bac051aaca78b5045db162a1ad131b59ced37
                              • Instruction Fuzzy Hash: 3B819276781718BAF6306B34FC4AFAB268E9B40B11F114426F302EA1D1DBF79851CA64
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0020F3A0 Relevance: 70.4, APIs: 39, Strings: 1, Instructions: 370stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetCommandLineW.KERNEL32(?,749217C0,?,?,?,0020877D), ref: 0020F3A5
                              • StrChrW.SHLWAPI(00000000,00000009,?,?,?,0020877D), ref: 0020F3C9
                              • StrChrW.SHLWAPI(00000000,00000009,?,?,?,0020877D), ref: 0020F3DA
                              • lstrlenW.KERNEL32(00000000,?,?,?,0020877D), ref: 0020F3EC
                              • LocalAlloc.KERNEL32(00000040,00000000,?,?,?,0020877D), ref: 0020F3FE
                              • lstrlenW.KERNEL32(00000000,?,?,?,0020877D), ref: 0020F403
                              • LocalAlloc.KERNEL32(00000040,00000000,?,?,?,0020877D), ref: 0020F40F
                              • lstrcpyW.KERNEL32 ref: 0020F41B
                              • StrChrW.SHLWAPI(00000000,00000020,?,?,?,0020877D), ref: 0020F453
                              • lstrcpyW.KERNEL32 ref: 0020F467
                              • lstrcpyW.KERNEL32 ref: 0020F495
                              • StrChrW.SHLWAPI(00000000,00000020,?,?,?,0020877D), ref: 0020F4CB
                              • lstrcpyW.KERNEL32 ref: 0020F4DF
                              • GlobalFree.KERNEL32 ref: 0020F513
                              • GlobalAlloc.KERNEL32(00000040,0000020C,?,?,?,0020877D), ref: 0020F520
                              • lstrcpyW.KERNEL32 ref: 0020F52D
                              • StrTrimW.SHLWAPI(00000000,0027E724,?,?,?,0020877D), ref: 0020F53A
                              • CharUpperW.USER32(00000000,?,?,?,0020877D), ref: 0020F541
                              • CharUpperW.USER32(00000002,?,?,?,0020877D), ref: 0020F599
                              • lstrcpyW.KERNEL32 ref: 0020F5AB
                              • StrChrW.SHLWAPI(00000000,00000020,?,?,?,0020877D), ref: 0020F5E1
                              • lstrcpyW.KERNEL32 ref: 0020F5F5
                              • StrCpyNW.SHLWAPI(00308DE8,00000000,00000104,?,?,?,0020877D), ref: 0020F61D
                              • PathUnquoteSpacesW.SHLWAPI(00308DE8,?,?,?,0020877D), ref: 0020F632
                              • lstrcpyW.KERNEL32 ref: 0020F647
                              • CharUpperW.USER32(00000002,00000022,?,?,?,0020877D), ref: 0020F652
                              • CharUpperW.USER32(00000002,?,?,?,0020877D), ref: 0020F663
                              • lstrcpyW.KERNEL32 ref: 0020F67B
                              • StrChrW.SHLWAPI(00000000,00000020,?,?,?,0020877D), ref: 0020F6B1
                              • lstrcpyW.KERNEL32 ref: 0020F6C5
                                • Part of subcall function 00206380: CharNextW.USER32(?,?,74CF8250,?,001FF938), ref: 002063A1
                                • Part of subcall function 00206380: lstrlenW.KERNEL32(?,?,74CF8250,?,001FF938), ref: 002063B2
                                • Part of subcall function 00206380: lstrlenW.KERNEL32(?,?,?,001FF938), ref: 002063C7
                                • Part of subcall function 00206380: CharPrevW.USER32(?,00000000,?,?,001FF938), ref: 002063D4
                                • Part of subcall function 00206380: CharPrevW.USER32(?,00000000,?,?,001FF938), ref: 002063E7
                              • lstrcpyW.KERNEL32 ref: 0020F783
                              • StrChrW.SHLWAPI(00000000,00000020,?,?,?,0020877D), ref: 0020F7B9
                              • lstrcpyW.KERNEL32 ref: 0020F7CD
                              • GlobalFree.KERNEL32 ref: 0020F7F4
                              • lstrlenW.KERNEL32(00000000,?,?,?,0020877D), ref: 0020F7FB
                              • GlobalAlloc.KERNEL32(00000040,00000000,?,?,?,0020877D), ref: 0020F80B
                              • lstrcpyW.KERNEL32 ref: 0020F818
                              • LocalFree.KERNEL32(00000000,?,?,?,0020877D), ref: 0020F826
                              • LocalFree.KERNEL32(00000000,?,?,?,0020877D), ref: 0020F829
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: lstrcpy$Char$lstrlen$AllocFreeGlobalLocalUpper$Prev$CommandLineNextPathSpacesTrimUnquote
                              • String ID: %i,%i,%i,%i
                              • API String ID: 792320778-2825437791
                              • Opcode ID: bab4617d539d8faaf0d8db67656f023f60d4bb91c113792a59b57578db988af2
                              • Instruction ID: 3966521753aecb1a63cafce46ee8f918705e9dc306e9d89702f38ddd1547fbe7
                              • Opcode Fuzzy Hash: bab4617d539d8faaf0d8db67656f023f60d4bb91c113792a59b57578db988af2
                              • Instruction Fuzzy Hash: 9DB1E721760302ABDB752F65AD99B7F36ADAF41700F044076EA01C79E3EFE488359B52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 001FF120 Relevance: 61.5, APIs: 34, Strings: 1, Instructions: 265windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: ButtonCheckRadio$Window$BrushCreateCtrlDeleteEnableItemObjectSolid$LongMessageSend
                              • String ID: $
                              • API String ID: 3681293412-3993045852
                              • Opcode ID: ad84523c2e87381417a91eeb3361d5cb4869778a672bd04728939a87e7d0b753
                              • Instruction ID: de18c496c08d68c062308acaa0fbbddafe8f466b297fea60ccba43aa6c8accc1
                              • Opcode Fuzzy Hash: ad84523c2e87381417a91eeb3361d5cb4869778a672bd04728939a87e7d0b753
                              • Instruction Fuzzy Hash: B3A19E79605304EFD7218F24FC59B5B7BE8BB48714F00842AF641A62E0D7F59486CF56
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 001FEA00 Relevance: 59.7, APIs: 27, Strings: 7, Instructions: 191windowCOMMON
                              Download Yara Rule
                              APIs
                              • EndDialog.USER32(?,00000001), ref: 001FEA53
                              • SendMessageW.USER32(?,00000080,00000000,?), ref: 001FEA75
                              • SetDlgItemTextW.USER32 ref: 001FEA89
                              • SetDlgItemTextW.USER32 ref: 001FEA93
                              • SetDlgItemTextW.USER32 ref: 001FEA9D
                              • DeleteObject.GDI32(?), ref: 001FEAA9
                              • SendDlgItemMessageW.USER32 ref: 001FEABE
                              • GetStockObject.GDI32(00000011), ref: 001FEACB
                              • GetObjectW.GDI32(00000000,0000005C,?), ref: 001FEADE
                              • CreateFontIndirectW.GDI32(?), ref: 001FEB01
                              • SendDlgItemMessageW.USER32 ref: 001FEB14
                              • GetDlgItem.USER32 ref: 001FEB1F
                              • SetDlgItemTextW.USER32 ref: 001FEB2D
                              • GetDlgItem.USER32 ref: 001FEB34
                              • ShowWindow.USER32(00000000), ref: 001FEB37
                              • wsprintfW.USER32 ref: 001FEB49
                              • SetDlgItemTextW.USER32 ref: 001FEB5A
                              • GetDlgItem.USER32 ref: 001FEB5F
                              • SetDlgItemTextW.USER32 ref: 001FEB6D
                              • GetDlgItem.USER32 ref: 001FEB74
                              • ShowWindow.USER32(00000000), ref: 001FEB77
                              • wsprintfW.USER32 ref: 001FEB89
                              • SetDlgItemTextW.USER32 ref: 001FEB9A
                              • LoadStringW.USER32(0000C366,?,00000100), ref: 001FEBB7
                              • LoadStringW.USER32(0000C366,?,00000100), ref: 001FEBD2
                              • SetDlgItemTextW.USER32 ref: 001FEBDC
                              • ShellExecuteW.SHELL32(?,open,mailto:florian.balmer@gmail.com,00000000,00000000,00000001), ref: 001FEC2B
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Item$Text$MessageObjectSend$LoadShowStringWindowwsprintf$CreateDeleteDialogExecuteFontIndirectShellStock
                              • String ID: <A>%s</A>$Florian Balmer et al. ( metapath )$MiniPath (x86) 1 Build 191$https://www.flos-freeware.ch$https://www.rizonesoft.com$mailto:florian.balmer@gmail.com$open
                              • API String ID: 2852744854-2807268571
                              • Opcode ID: d7c935e7d2e993d42ae409d7611fdb825735e750682057a600d4bfce5a66eed2
                              • Instruction ID: bd2f4ba85182c7947e2fbeb26d266702c3536f57d16f8382a123fa6464233c7e
                              • Opcode Fuzzy Hash: d7c935e7d2e993d42ae409d7611fdb825735e750682057a600d4bfce5a66eed2
                              • Instruction Fuzzy Hash: 6C51C170284B08BBEA319B34AC4EFAB36ECBF45B04F104415F305EA0E0D7F6D9158A66
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00202739 Relevance: 56.2, APIs: 23, Strings: 9, Instructions: 231stringCOMMON
                              Download Yara Rule
                              APIs
                              • IsDlgButtonChecked.USER32(?,00000065), ref: 00202742
                              • GetDlgItemTextW.USER32(?,00000066,?,00000104), ref: 0020275D
                              • IsDlgButtonChecked.USER32(?,00000069), ref: 00202766
                              • IsDlgButtonChecked.USER32(?,0000006A), ref: 0020277F
                              • GetDlgItemTextW.USER32(?,0000006C,?,00000104), ref: 00202794
                              • GetDlgItemTextW.USER32(?,0000006D,?,00000104), ref: 002027A9
                              • GetDlgItemTextW.USER32(?,0000006E,?,00000104), ref: 002027BE
                              • IsDlgButtonChecked.USER32(?,00000064), ref: 002027EC
                              • GetDlgItemTextW.USER32(?,00000066,?,00000104), ref: 00202835
                              • lstrcpyW.KERNEL32 ref: 00202867
                              • lstrcpyW.KERNEL32 ref: 00202873
                              • IsDlgButtonChecked.USER32(?,00000068), ref: 002028BD
                              • IsDlgButtonChecked.USER32(?,00000069), ref: 002028D9
                              • IsDlgButtonChecked.USER32(?,00000069), ref: 00202910
                              • lstrcpyW.KERNEL32 ref: 00202944
                              • IsDlgButtonChecked.USER32(?,0000006A), ref: 00202960
                              • GetDlgItemTextW.USER32(?,0000006C,00309AE0,00000100), ref: 00202983
                              • lstrcpyW.KERNEL32 ref: 00202991
                              • GetDlgItemTextW.USER32(?,0000006D,003090A0,00000100), ref: 002029C0
                              • lstrcpyW.KERNEL32 ref: 002029CE
                              • GetDlgItemTextW.USER32(?,0000006E,003094C0,00000100), ref: 002029FD
                              • lstrcpyW.KERNEL32 ref: 00202A0B
                              • EndDialog.USER32(?,00000001), ref: 00202A43
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: ButtonCheckedItemText$lstrcpy$Dialog
                              • String ID: DDEApplication$DDEMessage$DDETopic$Target Application$TargetApplicationMode$TargetApplicationParams$TargetApplicationPath$TargetApplicationWndClass$UseTargetApplication
                              • API String ID: 469813264-1845030746
                              • Opcode ID: a027e2d8602ecab5420ed2c6b6935ace2e822dac72214e99169dabfa802af02c
                              • Instruction ID: b4a0097097514417d5b4dcd46c059d211daba1980a915faf4617041f96400c46
                              • Opcode Fuzzy Hash: a027e2d8602ecab5420ed2c6b6935ace2e822dac72214e99169dabfa802af02c
                              • Instruction Fuzzy Hash: 20711874B60309FBEB119B209C9AFBF3169A714B04F10842BF50AB51D2DAF19869D672
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 001F4450 Relevance: 54.5, APIs: 25, Strings: 6, Instructions: 207stringCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,749217C0), ref: 001F4476
                              • lstrcmpiW.KERNEL32(00308DE8,0027D624), ref: 001F4494
                              • ExpandEnvironmentStringsW.KERNEL32(00308DE8,?,00000138), ref: 001F44DD
                              • lstrcpynW.KERNEL32(00308DE8,?,00000104), ref: 001F44F9
                              • PathIsRelativeW.SHLWAPI(00308DE8), ref: 001F4504
                              • lstrcpyW.KERNEL32 ref: 001F4521
                              • PathRemoveFileSpecW.SHLWAPI(?), ref: 001F4528
                              • PathAppendW.SHLWAPI(?,00308DE8), ref: 001F4538
                              • lstrcpyW.KERNEL32 ref: 001F4548
                              • PathFindFileNameW.SHLWAPI(?), ref: 001F4575
                              • lstrcpyW.KERNEL32 ref: 001F4583
                              • PathRenameExtensionW.SHLWAPI(?,.ini), ref: 001F4595
                              • lstrcpyW.KERNEL32 ref: 001F45B5
                              • lstrcpyW.KERNEL32 ref: 001F45D8
                              • PathRenameExtensionW.SHLWAPI(00308DE8,.ini), ref: 001F45E4
                              • PathRemoveFileSpecW.SHLWAPI(?), ref: 001F463E
                              • lstrcatW.KERNEL32(?,\Notepad3.exe), ref: 001F4651
                              • PathFindFileNameW.SHLWAPI(?), ref: 001F465F
                              • lstrcpyW.KERNEL32 ref: 001F4667
                              • PathRenameExtensionW.SHLWAPI(?,.ini), ref: 001F4673
                              • lstrcpyW.KERNEL32 ref: 001F4695
                              • lstrcpyW.KERNEL32 ref: 001F46BA
                              • PathRenameExtensionW.SHLWAPI(00308BE0,.ini), ref: 001F46C6
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Path$lstrcpy$File$ExtensionRename$Name$FindRemoveSpec$AppendEnvironmentExpandModuleRelativeStringslstrcatlstrcmpilstrcpyn
                              • String ID: .ini$\Notepad3.exe$minipath$minipath.ini$notepad3$notepad3.ini
                              • API String ID: 3294106345-3709775904
                              • Opcode ID: fce262b02cfbd84323e6059e210e6397bf773c863b42da893152f13522b71308
                              • Instruction ID: 22ca583a80c6987e2e0deb99509cd870cd4dfde138f072afb384a1313d0d838d
                              • Opcode Fuzzy Hash: fce262b02cfbd84323e6059e210e6397bf773c863b42da893152f13522b71308
                              • Instruction Fuzzy Hash: 626170B55443495BC720EB60EC89EEB73EDAFE4700F41492AF649D3190EF70E5588BA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00208940 Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 303windowstringCOMMON
                              Download Yara Rule
                              APIs
                              • MonitorFromRect.USER32(?,00000002), ref: 002089B9
                              • GetMonitorInfoW.USER32 ref: 002089D3
                              • SetRect.USER32 ref: 00208AAF
                              • IntersectRect.USER32 ref: 00208ACD
                              • SystemParametersInfoW.USER32 ref: 00208B31
                              • CreateWindowExW.USER32 ref: 00208B84
                              • SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000003), ref: 00208BA8
                              • GetWindowLongW.USER32(00000000,000000EC), ref: 00208BC6
                              • SetWindowLongW.USER32 ref: 00208BD5
                              • MulDiv.KERNEL32(?,000000FF,00000064), ref: 00208BE3
                              • SetLayeredWindowAttributes.USER32(00000000,00000000,?,00000002), ref: 00208BF6
                              • GetWindowLongW.USER32(00000000,000000EC), ref: 00208BFE
                              • SetWindowLongW.USER32 ref: 00208C0D
                              • ShowWindow.USER32(?), ref: 00208C29
                              • UpdateWindow.USER32 ref: 00208C35
                              • ShowWindow.USER32(00000000), ref: 00208C48
                              • LoadImageW.USER32 ref: 00208C6D
                              • lstrcpyW.KERNEL32 ref: 00208CC1
                              • Shell_NotifyIconW.SHELL32(00000000,000003BC), ref: 00208CCE
                              • GlobalFree.KERNEL32 ref: 00208CEE
                              • SendMessageW.USER32(00001004,00000000,00000000), ref: 00208D7E
                              • PostMessageW.USER32(00000111,00019D0D,00000000), ref: 00208D99
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Window$Long$Rect$InfoMessageMonitorShow$AttributesCreateFreeFromGlobalIconImageIntersectLayeredLoadNotifyParametersPostSendShell_SystemUpdatelstrcpy
                              • String ID: ($C:\Users\user\Documents$MRUDirectory$MinPath$MiniPath$Settings
                              • API String ID: 3277733087-2638332289
                              • Opcode ID: eef26c9b47bbbad79ec7dec136d55bc9045542b759531a89b81a3dba6f1bfb93
                              • Instruction ID: be6588cfe4f8ca9cd02eca7f788eea23e6ac56a7f213cf34613ddd9b8b45dd0d
                              • Opcode Fuzzy Hash: eef26c9b47bbbad79ec7dec136d55bc9045542b759531a89b81a3dba6f1bfb93
                              • Instruction Fuzzy Hash: 80C115716143059FD7218F24EC89BABB7E8FB84704F10862EF685D72D2DBB0A954CB52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00203320 Relevance: 42.4, APIs: 20, Strings: 4, Instructions: 386windowstringmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetPropW.USER32(00000000,DirListData), ref: 002033AC
                              • SHGetFileInfoW.SHELL32(Icon,00000010,?,000002B4,00004011), ref: 002033D5
                              • SHGetFileInfoW.SHELL32(Icon,00000080,?,000002B4,00004011), ref: 00203404
                                • Part of subcall function 00203280: GetPropW.USER32(?,DirListData), ref: 0020328A
                                • Part of subcall function 00203280: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,00203420,?,?), ref: 00203298
                                • Part of subcall function 00203280: WaitForSingleObject.KERNEL32(?,00000000,?,?,?,?,?,?,?,00203420,?,?), ref: 002032A6
                                • Part of subcall function 00203280: PeekMessageW.USER32 ref: 002032D2
                                • Part of subcall function 00203280: TranslateMessage.USER32(?), ref: 002032DD
                                • Part of subcall function 00203280: DispatchMessageW.USER32 ref: 002032E4
                                • Part of subcall function 00203280: WaitForSingleObject.KERNEL32(?,00000000,?,?,?,?,?,?,?,00203420,?,?), ref: 002032EE
                                • Part of subcall function 00203280: ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,00203420,?,?), ref: 00203301
                                • Part of subcall function 00203280: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,00203420,?,?), ref: 0020330D
                              • lstrcpyW.KERNEL32 ref: 00203437
                              • SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00203448
                              • SendMessageW.USER32(?,00001009,00000000,00000000), ref: 00203458
                              • lstrcmpW.KERNEL32(?,*.*,?,?,?,?,?,?), ref: 002034CA
                              • StrChrW.SHLWAPI ref: 002034F3
                              • StrChrW.SHLWAPI(?,0000003B), ref: 00203520
                              • lstrcpyW.KERNEL32 ref: 0020356C
                              • SHGetDesktopFolder.SHELL32(?,?,?,?,?,?,?,?,?), ref: 00203577
                              • SHGetDataFromIDListW.SHELL32(?,?,00000001,?,00000250), ref: 0020367F
                              • PathMatchSpecW.SHLWAPI(?,?), ref: 002036C6
                              • CoTaskMemAlloc.OLE32(00000008), ref: 002036E9
                              • SendMessageW.USER32(?,0000104D,00000000,?), ref: 00203747
                              • CoTaskMemFree.OLE32(?,?,?,?,?,?,?,?,?), ref: 00203792
                              • SendMessageW.USER32(?,0000101E,00000000,0000FFFE), ref: 002037FF
                              • SendMessageW.USER32(?,00001030,00000000,00203C30), ref: 00203824
                              • SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 0020382D
                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00203839
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Message$Send$Event$FileInfoObjectPropSingleTaskWaitlstrcpy$AllocDataDesktopDispatchFolderFreeFromListMatchPathPeekResetSpecTranslatelstrcmp
                              • String ID: *.*$C:\Users\user\Desktop$DirListData$Icon
                              • API String ID: 2929906256-267214122
                              • Opcode ID: d52b581c3e6098b72fae0e372d68bb9410715ea762472ac116999695601a2879
                              • Instruction ID: e81e679c0f19dfdc7205f3beb5228a3483a3c77a2503b46d0af592d9091d14fc
                              • Opcode Fuzzy Hash: d52b581c3e6098b72fae0e372d68bb9410715ea762472ac116999695601a2879
                              • Instruction Fuzzy Hash: A7E18EB4214342AFE720CF64C884F6BB7E8AF88704F14891DF5899B2E1D7B1E955CB52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00200EB0 Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 237stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00203CE0: SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00203D18
                                • Part of subcall function 00203CE0: SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 00203D28
                                • Part of subcall function 00203CE0: SendMessageW.USER32(?,?,?,0000104B), ref: 00203D4D
                                • Part of subcall function 002064F0: lstrlenW.KERNEL32(?,?,?,001FE260), ref: 002064F5
                                • Part of subcall function 002064F0: CharPrevW.USER32(?,?,?,?,001FE260), ref: 00206512
                                • Part of subcall function 002064F0: CharPrevW.USER32(?,?,?,?,?,001FE260), ref: 0020651C
                              • lstrcpyW.KERNEL32 ref: 00200F1B
                                • Part of subcall function 00207A20: FindResourceW.KERNEL32(00000000,?,00000005,?,?), ref: 00207A37
                                • Part of subcall function 00207A20: LoadResource.KERNEL32(00000000,00000000), ref: 00207A4A
                                • Part of subcall function 00207A20: LockResource.KERNEL32(00000000), ref: 00207A5B
                                • Part of subcall function 00207A20: SizeofResource.KERNEL32(00000000,00000000), ref: 00207A6E
                                • Part of subcall function 00207A20: LocalAlloc.KERNEL32(00000040,00000040), ref: 00207A84
                                • Part of subcall function 00207A20: FreeResource.KERNEL32(00000000), ref: 00207AA0
                                • Part of subcall function 00207A20: lstrlenW.KERNEL32(?), ref: 00207B1D
                              • DialogBoxIndirectParamW.USER32 ref: 00200F3C
                              • LocalFree.KERNEL32(00000000,?,Function_00010610,?), ref: 00200F49
                              • LocalAlloc.KERNEL32(00000040,00000268), ref: 00200FCC
                              • lstrcpynW.KERNEL32(00000000,Copy/Move MRU,00000100,?,Function_00010610,?), ref: 00200FFD
                              • lstrcmpiW.KERNEL32(00000000,00000000), ref: 00201044
                              • lstrcmpW.KERNEL32(00000000,00000000), ref: 0020104C
                              • LocalFree.KERNEL32(?), ref: 0020106B
                              • StrDupW.SHLWAPI(00000000), ref: 002010A6
                              • ExpandEnvironmentStringsW.KERNEL32(?,?,00000138), ref: 002010E1
                              • lstrcpynW.KERNEL32(?,?,00000104), ref: 00201100
                              • lstrcpyW.KERNEL32 ref: 00201140
                              • lstrcpyW.KERNEL32 ref: 00201152
                              • PathIsRelativeW.SHLWAPI(?,?,?,?,?,Function_00010610,?), ref: 0020115C
                              • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,Function_00010610,?), ref: 00201179
                              • PathAppendW.SHLWAPI(?,?,?,?,?,?,Function_00010610,?), ref: 0020118F
                              • lstrcpyW.KERNEL32 ref: 002011A1
                              • PathIsDirectoryW.SHLWAPI(?), ref: 002011AB
                              • PathFindFileNameW.SHLWAPI(?,?,?,?,?,Function_00010610,?), ref: 002011BD
                              • PathAppendW.SHLWAPI(?,00000000,?,?,?,?,Function_00010610,?), ref: 002011CC
                              • SHFileOperationW.SHELL32(?,?,?,?,?,Function_00010610,?), ref: 002011D3
                              • GetFileAttributesW.KERNEL32(?,?,?,?,?,Function_00010610,?), ref: 002011ED
                              • SetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,Function_00010610,?), ref: 00201203
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: PathResource$FileLocallstrcpy$FreeMessageSend$AllocAppendAttributesCharDirectoryFindPrevlstrcpynlstrlen$CurrentDialogEnvironmentExpandIndirectLoadLockNameOperationParamRelativeSizeofStringslstrcmplstrcmpi
                              • String ID: Copy/Move MRU
                              • API String ID: 3598563394-4109381532
                              • Opcode ID: 35676bed17bb129926f1f1adfbe71ddbb0ce1b55d2df254095f8fff6a17a03a0
                              • Instruction ID: 65fad697764d35c729201be24d5b0885ee48f5b9c9837c35acb9afd914ad3ae0
                              • Opcode Fuzzy Hash: 35676bed17bb129926f1f1adfbe71ddbb0ce1b55d2df254095f8fff6a17a03a0
                              • Instruction Fuzzy Hash: 9791B3765143459BD720DF64DC89BDBB3ECFF84300F018919EA89D3192EB70A9A4CB92
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 001FEC50 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 170windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,00000080,00000000,?), ref: 001FEC81
                              • CheckDlgButton.USER32(?,0000006B,00000001), ref: 001FECA5
                              • GetDlgItem.USER32 ref: 001FECAE
                              • EnableWindow.USER32(00000000), ref: 001FECB5
                              • CheckDlgButton.USER32(?,00000064,00000001), ref: 001FECC9
                              • CheckDlgButton.USER32(?,00000065,00000001), ref: 001FECD9
                              • CheckDlgButton.USER32(?,00000066,00000001), ref: 001FECE9
                              • CheckDlgButton.USER32(?,00000067,00000001), ref: 001FECF9
                              • CheckDlgButton.USER32(?,00000068,00000001), ref: 001FED09
                              • CheckDlgButton.USER32(?,00000069,00000001), ref: 001FED19
                              • CheckDlgButton.USER32(?,0000006A,00000001), ref: 001FED3C
                              • GetDlgItem.USER32 ref: 001FED65
                              • IsWindowEnabled.USER32(00000000), ref: 001FED6C
                              • IsDlgButtonChecked.USER32(?,0000006B), ref: 001FED7F
                              • IsDlgButtonChecked.USER32(?,00000064), ref: 001FED8F
                              • IsDlgButtonChecked.USER32(?,00000065), ref: 001FED9F
                              • IsDlgButtonChecked.USER32(?,00000066), ref: 001FEDAF
                              • IsDlgButtonChecked.USER32(?,00000067), ref: 001FEDBF
                              • IsDlgButtonChecked.USER32(?,00000068), ref: 001FEDCF
                              • IsDlgButtonChecked.USER32(?,00000069), ref: 001FEDDF
                              • IsDlgButtonChecked.USER32(?,0000006A), ref: 001FEDEF
                              • SetWindowLongW.USER32 ref: 001FEE06
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Button$CheckChecked$Window$Item$EnableEnabledLongMessageSend
                              • String ID: ReuseWindow$Settings2
                              • API String ID: 803896276-719659277
                              • Opcode ID: 124fcbbc542e681976114ebb657108337390ee505ee737dad445aabe355fca8d
                              • Instruction ID: 9f316c3782758e532ccb437bc0c269afc36ab25e7fb3060f3186ca4a981fa520
                              • Opcode Fuzzy Hash: 124fcbbc542e681976114ebb657108337390ee505ee737dad445aabe355fca8d
                              • Instruction Fuzzy Hash: 7241C9313D1719AAF7216B38FC19FB6329DAB40B01F014A26F701DA1E0D7F68981CA55
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0020CE72 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 103stringCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0020CE81
                              • lstrcpyW.KERNEL32 ref: 0020CE94
                              • PathQuoteSpacesW.SHLWAPI(?), ref: 0020CEA2
                              • lstrcatW.KERNEL32(?, -f), ref: 0020CEBB
                              • lstrcatW.KERNEL32(?,0027DF90), ref: 0020CED4
                              • lstrcatW.KERNEL32(?,00308DE8), ref: 0020CEE3
                              • lstrcatW.KERNEL32(?,0027E6B0), ref: 0020CEF9
                              • lstrcatW.KERNEL32(?, -n), ref: 0020CF08
                              • GetWindowPlacement.USER32(?,?), ref: 0020CF1E
                              • MonitorFromRect.USER32(?,00000002), ref: 0020CF2E
                              • GetMonitorInfoW.USER32 ref: 0020CF42
                              • wsprintfW.USER32 ref: 0020CFA1
                              • lstrcatW.KERNEL32(?,?), ref: 0020CFBA
                              • ShellExecuteW.SHELL32(?,00000000,?,?,00000000,00000001), ref: 0020CFD3
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: lstrcat$Monitor$ExecuteFileFromInfoModuleNamePathPlacementQuoteRectShellSpacesWindowlstrcpywsprintf
                              • String ID: -f$ -n$ -p %i,%i,%i,%i$($,
                              • API String ID: 3816053248-2039397706
                              • Opcode ID: 4e9b28b7d5bf944d950eee59e7ab0f6e1fa7c2fe01b028e74648c759c5aa0c72
                              • Instruction ID: a55cd1872ab3b5ffb895f8d7ce0ed5234e82a796b6e202aec725a50f77207993
                              • Opcode Fuzzy Hash: 4e9b28b7d5bf944d950eee59e7ab0f6e1fa7c2fe01b028e74648c759c5aa0c72
                              • Instruction Fuzzy Hash: AE414D75518345ABDB20DB60DC49EDBBBECFF85300F51881AF589C3191DBB0A548CBA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00210270 Relevance: 25.6, APIs: 6, Strings: 11, Instructions: 123stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001F2810: PathFileExistsW.SHLWAPI(00308DE8,?,?,001F4A32,23499D16), ref: 001F2827
                                • Part of subcall function 001F2810: PathIsDirectoryW.SHLWAPI(00308DE8), ref: 001F283A
                              • lstrcpyW.KERNEL32 ref: 0021041A
                              • lstrcpyW.KERNEL32 ref: 00210426
                              • lstrcpyW.KERNEL32 ref: 00210432
                              • lstrcpyW.KERNEL32 ref: 0021043E
                              • lstrcpyW.KERNEL32 ref: 0021044A
                              • lstrcpyW.KERNEL32 ref: 00210456
                                • Part of subcall function 001F29E0: lstrlenW.KERNEL32(?,?,?,?,?,0027D420,00308FF0,00000055,23499D16), ref: 001F2ABC
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: lstrcpy$Path$DirectoryExistsFilelstrlen
                              • String ID: DDEApplication$DDEMessage$DDETopic$Notepad3$Notepad3.exe$Target Application$TargetApplicationMode$TargetApplicationParams$TargetApplicationPath$TargetApplicationWndClass$UseTargetApplication
                              • API String ID: 3318512330-1779093258
                              • Opcode ID: c1f84a810c68cff5e18a325fb570f1f63ad0d928067d9bf729eac8a0525797ff
                              • Instruction ID: ced096aba02af16e34dddc02b0c4ab0d6be6517e8d328694df1b48086770fe7e
                              • Opcode Fuzzy Hash: c1f84a810c68cff5e18a325fb570f1f63ad0d928067d9bf729eac8a0525797ff
                              • Instruction Fuzzy Hash: 0E41EAB1B6231877DF01AB50AC67BAB3654F715B18F108877F5093A2D2DAF224A48671
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0021C0A2 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 305COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • DName::operator+.LIBCMT ref: 0021C10D
                              • DName::operator+.LIBCMT ref: 0021C250
                                • Part of subcall function 00217B49: shared_ptr.LIBCMT ref: 00217B65
                              • DName::operator+.LIBCMT ref: 0021C1FB
                              • DName::operator+.LIBCMT ref: 0021C29C
                              • DName::operator+.LIBCMT ref: 0021C2AB
                              • DName::operator+.LIBCMT ref: 0021C3D7
                              • DName::operator=.LIBVCRUNTIME ref: 0021C417
                              • DName::DName.LIBVCRUNTIME ref: 0021C42F
                              • DName::operator+.LIBCMT ref: 0021C43E
                              • DName::operator+.LIBCMT ref: 0021C44A
                                • Part of subcall function 0021D92E: Replicator::operator[].LIBCMT ref: 0021D96B
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]shared_ptr
                              • String ID: e'
                              • API String ID: 1043660730-1504820757
                              • Opcode ID: aa502e74fbc3d4f85cb0d4393f4c26d222f04716537e9ef12cd494385548c4cb
                              • Instruction ID: 66965750126a92c13f6780b3a2f5eff45bc5c179a7ff0e3b527d1d9be8f30ee0
                              • Opcode Fuzzy Hash: aa502e74fbc3d4f85cb0d4393f4c26d222f04716537e9ef12cd494385548c4cb
                              • Instruction Fuzzy Hash: AFC1C2B5D642059FCB14CFA4C855BEEB7F8BF65300F24445EE046A7281DB74AA94CF50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0020244D Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 146stringwindowCOMMON
                              Download Yara Rule
                              APIs
                              • GetDlgItemTextW.USER32(?,00000066,?,00000104), ref: 0020246F
                              • lstrcpyW.KERNEL32 ref: 0020248B
                                • Part of subcall function 00206380: CharNextW.USER32(?,?,74CF8250,?,001FF938), ref: 002063A1
                                • Part of subcall function 00206380: lstrlenW.KERNEL32(?,?,74CF8250,?,001FF938), ref: 002063B2
                                • Part of subcall function 00206380: lstrlenW.KERNEL32(?,?,?,001FF938), ref: 002063C7
                                • Part of subcall function 00206380: CharPrevW.USER32(?,00000000,?,?,001FF938), ref: 002063D4
                                • Part of subcall function 00206380: CharPrevW.USER32(?,00000000,?,?,001FF938), ref: 002063E7
                              • StrChrW.SHLWAPI(00000022,00000020), ref: 002024DC
                              • lstrcpyW.KERNEL32 ref: 002024F6
                              • GetOpenFileNameW.COMDLG32(00000058), ref: 0020259F
                              • StrCpyNW.SHLWAPI(?,?,00000104), ref: 002025C0
                              • PathQuoteSpacesW.SHLWAPI(?), ref: 002025E3
                              • StrCatBuffW.SHLWAPI(?,0027DDEC,00000104), ref: 00202610
                              • StrCatBuffW.SHLWAPI(?,?,00000104), ref: 00202625
                              • SetDlgItemTextW.USER32 ref: 00202631
                              • PostMessageW.USER32(?,00000028,00000001,00000000), ref: 0020263E
                              • CheckRadioButton.USER32 ref: 0020264B
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Char$BuffItemPrevTextlstrcpylstrlen$ButtonCheckFileMessageNameNextOpenPathPostQuoteRadioSpaces
                              • String ID: "$X
                              • API String ID: 1396828129-1355838460
                              • Opcode ID: eb16461c052ea0649c9557e49df47a396fff1b9400bfb08f2d01e0d9bbb8c61a
                              • Instruction ID: 85489b3a39dda2f7ed1abcf7c73d65e4897ffa9ad7a28da91966d84cb094a98c
                              • Opcode Fuzzy Hash: eb16461c052ea0649c9557e49df47a396fff1b9400bfb08f2d01e0d9bbb8c61a
                              • Instruction Fuzzy Hash: 8A517F75954328DAEB60DB60DC8DBDA73B8FB04700F4041A6E649A71D1EFB19A98CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 002002C0 Relevance: 24.1, APIs: 16, Instructions: 123windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetDlgItem.USER32 ref: 00200304
                              • GetWindowTextLengthW.USER32(00000000), ref: 00200307
                              • GetDlgItem.USER32 ref: 00200311
                              • EnableWindow.USER32(00000000), ref: 00200314
                              • SetWindowLongW.USER32 ref: 002003A7
                              • SendMessageW.USER32(?,00000080,00000000,?), ref: 002003BF
                              • SetDlgItemTextW.USER32 ref: 002003CF
                              • SetDlgItemTextW.USER32 ref: 002003D5
                              • SendDlgItemMessageW.USER32 ref: 002003EC
                              • SendDlgItemMessageW.USER32 ref: 002003FA
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Item$MessageSendTextWindow$EnableLengthLong
                              • String ID:
                              • API String ID: 2189001810-0
                              • Opcode ID: 3f9e85d7c18cde68b39e51adec7b528c796b0abbb059f6afc30ce8ca78a872e8
                              • Instruction ID: 6888d18c7b1684ed1caeaa26e95c4cfef4adc69d5617cb801afdb6dca7d91100
                              • Opcode Fuzzy Hash: 3f9e85d7c18cde68b39e51adec7b528c796b0abbb059f6afc30ce8ca78a872e8
                              • Instruction Fuzzy Hash: F631C8363407147BF7215B68BC8EF6B2B1CE784B52F008416F701EA1D1E7D6A8619B61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0021920F Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 359COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: shared_ptr$operator+$Name::operator+Name::operator=
                              • String ID: Dh'$dh'
                              • API String ID: 1464150960-3536781158
                              • Opcode ID: 16d50cecb54b92e5db17f9ea27903545da48358986ed81013022f7fa625ba3fd
                              • Instruction ID: 80d9bf7855673c540fc7a31c24c5040d33d5b008ba813738ad1280e657520f86
                              • Opcode Fuzzy Hash: 16d50cecb54b92e5db17f9ea27903545da48358986ed81013022f7fa625ba3fd
                              • Instruction Fuzzy Hash: 8FE17BB1C2424ADACB05DF94C4A8AFEBBF8EF24304F10815AD516A7240D7755BE9CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00208DD0 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 121windowstringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00203CE0: SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00203D18
                                • Part of subcall function 00203CE0: SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 00203D28
                                • Part of subcall function 00203CE0: SendMessageW.USER32(?,?,?,0000104B), ref: 00203D4D
                              • lstrcpyW.KERNEL32 ref: 00208EAD
                              • PathStripPathW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,00000208), ref: 00208EB7
                              • PathRemoveExtensionW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,00000208), ref: 00208EC5
                              • lstrcpyW.KERNEL32 ref: 00208EDD
                              • lstrcpyW.KERNEL32 ref: 00208F05
                              • GetMenuItemInfoW.USER32(?,00009C41,00000000,00000030), ref: 00208F76
                              • SetMenuItemInfoW.USER32 ref: 00208F94
                              • GetSubMenu.USER32 ref: 00208FA4
                              • SetMenuDefaultItem.USER32(00000000,?,00000000,00009C41,00000000), ref: 00208FAB
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Menu$ItemMessagePathSendlstrcpy$Info$DefaultExtensionRemoveStrip
                              • String ID: ...$0$0$Notepad3
                              • API String ID: 2793067833-1122624146
                              • Opcode ID: 6a0497f89857d52801e34894b306ca8920f21c5cac7bba0945187d76300ebb1a
                              • Instruction ID: cb77ba9565bd432a26eedc6033fe10a7b7d25b2f647447ccc0acce47fac567d0
                              • Opcode Fuzzy Hash: 6a0497f89857d52801e34894b306ca8920f21c5cac7bba0945187d76300ebb1a
                              • Instruction Fuzzy Hash: 8541E4B5914345ABDB20DF60DC49FAB73ECBB94704F44491DF688921C2EBB4A1988F52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00209185 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 114windowstringCOMMON
                              Download Yara Rule
                              APIs
                              • GetSysColor.USER32(0000000F), ref: 002091C8
                              • SetBkColor.GDI32(?,00000000), ref: 002091D0
                              • GetSysColor.USER32(00000012), ref: 002091F1
                              • SetTextColor.GDI32(?,00000000), ref: 002091F9
                              • GetSystemMetrics.USER32 ref: 00209222
                              • GetWindowDC.USER32(?), ref: 0020922D
                              • FrameRect.USER32 ref: 0020925F
                              • GetSysColorBrush.USER32(00000015), ref: 00209284
                              • FrameRect.USER32 ref: 00209291
                              • ReleaseDC.USER32 ref: 0020929C
                              • lstrlenW.KERNEL32(?,00000000), ref: 002092AC
                              • ExtTextOutW.GDI32(?,?,?,00000402,?,?,00000000), ref: 002092CB
                                • Part of subcall function 001F19E0: SystemParametersInfoW.USER32 ref: 001F1A11
                              • LoadMenuW.USER32 ref: 0020A066
                              • GetSubMenu.USER32 ref: 0020A071
                              • SetForegroundWindow.USER32(?), ref: 0020A07D
                              • GetCursorPos.USER32(?), ref: 0020A088
                              • SetMenuDefaultItem.USER32(00000000,00009E99,00000000), ref: 0020A096
                              • TrackPopupMenu.USER32(00000000,00000182,?,?,00000000,?,00000000), ref: 0020A0B2
                              • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 0020A0C7
                              • DestroyMenu.USER32(00000000), ref: 0020A0CE
                              • ShowOwnedPopups.USER32(?,00000001), ref: 0020A126
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: ColorMenu$FrameRectSystemTextWindow$BrushCursorDefaultDestroyForegroundInfoItemLoadMessageMetricsOwnedParametersPopupPopupsPostReleaseShowTracklstrlen
                              • String ID: 333
                              • API String ID: 3530067508-2463598333
                              • Opcode ID: 77020d28b53cc1885b9f67a85a49c283ccc3ad11851253d630fa22c91112e96d
                              • Instruction ID: fcc3a7ca2e48f99117b2f9e0ef79f4ad3297582098cbb63a27be1db03b6aaaf6
                              • Opcode Fuzzy Hash: 77020d28b53cc1885b9f67a85a49c283ccc3ad11851253d630fa22c91112e96d
                              • Instruction Fuzzy Hash: B241F635118341AFD7119F64EC48B7EB7F8FF84304F04890AF986931A2DBB09886CB62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0021AB3E Relevance: 19.8, APIs: 13, Instructions: 332COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Name::operator+$NameName::$Decorator::getReturnTypeoperator+
                              • String ID:
                              • API String ID: 2932655852-0
                              • Opcode ID: 4905956f880649f5bc7ad8d0a6738e08e0eadf88cdaba6919a216a6d34391a05
                              • Instruction ID: be3c15522ec05c2d844735cc3099d429d24f03b42fa82df403986fca9d938539
                              • Opcode Fuzzy Hash: 4905956f880649f5bc7ad8d0a6738e08e0eadf88cdaba6919a216a6d34391a05
                              • Instruction Fuzzy Hash: 99C173B1925209AFCB15DFA4D8929EE7BF8EF68300F14006EF50297291DB70AAD4CB51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0021CB6B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 297COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • DName::operator+.LIBCMT ref: 0021CC41
                              • UnDecorator::getSignedDimension.LIBCMT ref: 0021CC4C
                              • UnDecorator::getSignedDimension.LIBCMT ref: 0021CD38
                              • UnDecorator::getSignedDimension.LIBCMT ref: 0021CD55
                              • UnDecorator::getSignedDimension.LIBCMT ref: 0021CD72
                              • DName::operator+.LIBCMT ref: 0021CD87
                              • UnDecorator::getSignedDimension.LIBCMT ref: 0021CDA1
                              • swprintf.LIBCMT ref: 0021CE1B
                              • DName::operator+.LIBCMT ref: 0021CE76
                                • Part of subcall function 00218BEA: DName::DName.LIBVCRUNTIME ref: 00218C48
                              • DName::DName.LIBVCRUNTIME ref: 0021CEED
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Decorator::getDimensionSigned$Name::operator+$NameName::$swprintf
                              • String ID: 7!
                              • API String ID: 3689813335-945759478
                              • Opcode ID: 68be06744c5e30d13a0c7e7bb89174ff7d585d8599f483f3a69ba8c937817d33
                              • Instruction ID: 68f223f370dc1580aef4e5d1746c914afb36374fe07dd9bba1b6bcaa3c09b1a5
                              • Opcode Fuzzy Hash: 68be06744c5e30d13a0c7e7bb89174ff7d585d8599f483f3a69ba8c937817d33
                              • Instruction Fuzzy Hash: 21910BB5CB810A99CB04EFB4D84A9FE77F8AB34304F304016E106A2581DA759FE4CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0020C6E9 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 121windowfilestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00206890: SendMessageW.USER32(?,00001032,00000000,00000000), ref: 002068B6
                              • MessageBeep.USER32(00000000), ref: 0020C0CC
                                • Part of subcall function 00203CE0: SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00203D18
                                • Part of subcall function 00203CE0: SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 00203D28
                                • Part of subcall function 00203CE0: SendMessageW.USER32(?,?,?,0000104B), ref: 00203D4D
                              • lstrcpyW.KERNEL32 ref: 0020C733
                                • Part of subcall function 00204FE0: LoadStringW.USER32(0000A411,?,00000000,00000001), ref: 00204FF2
                                • Part of subcall function 00204FE0: LoadStringW.USER32(0000A411,?,?), ref: 00205008
                                • Part of subcall function 00206530: lstrlenW.KERNEL32(?,7492B060,001FFA1F), ref: 00206534
                                • Part of subcall function 00206530: CharPrevW.USER32(?,00000000,?), ref: 0020654A
                              • GetSaveFileNameW.COMDLG32(?,?,?,?,?,?), ref: 0020C7BE
                                • Part of subcall function 00204FA0: LoadCursorW.USER32(00000000,00007F02), ref: 00204FA7
                                • Part of subcall function 00204FA0: SetCursor.USER32(00000000,?,?,?,?,?), ref: 00204FAE
                                • Part of subcall function 00204FA0: DestroyCursor.USER32(00000000), ref: 00204FB5
                                • Part of subcall function 00205060: LocalAlloc.KERNEL32(00000040,?,00000000,74D0F6F0,7490BB20,?,0020F281,?,00000100,00002712,?), ref: 0020506E
                                • Part of subcall function 00205060: LoadStringW.USER32(?,00000000,?), ref: 00205087
                                • Part of subcall function 00205060: LoadStringW.USER32(?,00000000,?), ref: 0020509E
                                • Part of subcall function 00205060: LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 002050C2
                                • Part of subcall function 00205060: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 002050C9
                                • Part of subcall function 002058E0: SendMessageW.USER32(0000040B,?,?), ref: 002058F6
                              • SendMessageW.USER32(00000409,00000001,00000000), ref: 0020C81A
                              • InvalidateRect.USER32(00000000,00000001,?,?,?,?,?,?,00000000,00000058), ref: 0020C826
                              • UpdateWindow.USER32 ref: 0020C832
                              • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000,00000058), ref: 0020C84A
                              • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,00000000,00000058), ref: 0020C87E
                              • SetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,?,?,00000000,00000058), ref: 0020C894
                              • SendMessageW.USER32(00000409,00000000,00000000), ref: 0020C8BC
                                • Part of subcall function 00202D90: LoadStringW.USER32(?,?,00000200), ref: 00202DEB
                                • Part of subcall function 00202D90: LoadStringW.USER32(?,?,00000200), ref: 00202E09
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Message$LoadSend$String$File$Cursor$AttributesLocallstrlen$AllocBeepCharCopyDestroyFreeInvalidateNamePrevRectSaveUpdateWindowlstrcpy
                              • String ID: X
                              • API String ID: 1551183220-3081909835
                              • Opcode ID: a535e26dfe3246ad11834accbaccf3ba8085607690e879436d5b7d1230e114e0
                              • Instruction ID: b93497cb4e2ffeadd35c9b2555bc0acb89233fd4f145b70cca26d2bb57c3171d
                              • Opcode Fuzzy Hash: a535e26dfe3246ad11834accbaccf3ba8085607690e879436d5b7d1230e114e0
                              • Instruction Fuzzy Hash: E641B6B16253459BF730DB60EC4ABDB73A8AF44300F54892AF649D21D2EBB05554CB62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00203080 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 88windowmemorystringCOMMON
                              Download Yara Rule
                              APIs
                              • GlobalAlloc.KERNEL32(00000040,0000022C,?,?,?), ref: 002030B3
                              • SetPropW.USER32(00000000,DirListData,00000000), ref: 002030DE
                              • lstrcpyW.KERNEL32 ref: 00203104
                              • SHGetFileInfoW.SHELL32(C:\,00000000,?,000002B4,00004001), ref: 00203120
                              • SendMessageW.USER32(00000000,00001003,00000001,00000000), ref: 00203135
                              • SHGetFileInfoW.SHELL32(C:\,00000000,?,000002B4,00004000), ref: 0020314D
                              • SendMessageW.USER32(00000000,00001003,00000000,00000000), ref: 0020315C
                              • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?), ref: 00203180
                              • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?), ref: 00203190
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: CreateEventFileInfoMessageSend$AllocGlobalProplstrcpy
                              • String ID: C:\$DirListData
                              • API String ID: 1243389431-2784504048
                              • Opcode ID: 36b4de6fb6bb80a1e2852ce1d0ffa5ef45920b9c361d7cef9d736fc56b7172ef
                              • Instruction ID: 1453dd5ec1dc19524766f32272b0447096e23488c81cfa7d9e7a9eb6ece65f23
                              • Opcode Fuzzy Hash: 36b4de6fb6bb80a1e2852ce1d0ffa5ef45920b9c361d7cef9d736fc56b7172ef
                              • Instruction Fuzzy Hash: C8317471690304BFFB60AF50EC8EFA63B98EB08B05F414455FA0C6E1C1D7F5A4548B61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00210CB0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 87COMMON
                              Download Yara Rule
                              APIs
                              • GetWindowRect.USER32 ref: 00210CC7
                              • MonitorFromRect.USER32 ref: 00210CEF
                              • GetMonitorInfoW.USER32 ref: 00210CFB
                              • EqualRect.USER32 ref: 00210D4D
                              • SystemParametersInfoW.USER32 ref: 00210D80
                              • DrawAnimatedRects.USER32(?,00000003,?,?), ref: 00210D9A
                              • OffsetRect.USER32(?,?,?), ref: 00210DB7
                              • SetWindowPlacement.USER32(?,0000002C), ref: 00210DC3
                              • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00210DCF
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Rect$Window$InfoMonitorPlacement$AnimatedDrawEqualFromOffsetParametersRectsSystem
                              • String ID: ($,
                              • API String ID: 1691248947-170869519
                              • Opcode ID: 80d2b1e27eb761602471f096d68b550585d3ba58c9b0afc7eb9cc436d990d959
                              • Instruction ID: 48213783ceb9abcae8b04014a62c19f6e8053877be369065346ebc8ab4f578c4
                              • Opcode Fuzzy Hash: 80d2b1e27eb761602471f096d68b550585d3ba58c9b0afc7eb9cc436d990d959
                              • Instruction Fuzzy Hash: 933119B5408305AFD700CF64D989AAFB7F8FF88B04F40891EF58186250EBB4E949CB52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00203280 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 50windowsynchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • GetPropW.USER32(?,DirListData), ref: 0020328A
                              • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,00203420,?,?), ref: 00203298
                              • WaitForSingleObject.KERNEL32(?,00000000,?,?,?,?,?,?,?,00203420,?,?), ref: 002032A6
                              • PeekMessageW.USER32 ref: 002032D2
                              • TranslateMessage.USER32(?), ref: 002032DD
                              • DispatchMessageW.USER32 ref: 002032E4
                              • WaitForSingleObject.KERNEL32(?,00000000,?,?,?,?,?,?,?,00203420,?,?), ref: 002032EE
                              • ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,00203420,?,?), ref: 00203301
                              • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,00203420,?,?), ref: 0020330D
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: EventMessage$ObjectSingleWait$DispatchPeekPropResetTranslate
                              • String ID: C:\Users\user\Desktop$DirListData
                              • API String ID: 3160958571-3839085555
                              • Opcode ID: 983e38b27fe14214c657cb2f6488e9e43d3590e797e6ad996b6f399d3e543acb
                              • Instruction ID: 4012f31695973ea90f5c9cbf3d0fa138dd9b0c42c7fc74541ee97b982a6e330c
                              • Opcode Fuzzy Hash: 983e38b27fe14214c657cb2f6488e9e43d3590e797e6ad996b6f399d3e543acb
                              • Instruction Fuzzy Hash: 6A018036210301AFEF20AFA4FC4DF967BA8BB09710F454869F645D10A0EBB1ED509B21
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0020CA74 Relevance: 18.1, APIs: 12, Instructions: 132stringwindowCOMMON
                              Download Yara Rule
                              APIs
                              • MessageBeep.USER32(00000000), ref: 0020C0CC
                                • Part of subcall function 00203CE0: SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00203D18
                                • Part of subcall function 00203CE0: SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 00203D28
                                • Part of subcall function 00203CE0: SendMessageW.USER32(?,?,?,0000104B), ref: 00203D4D
                                • Part of subcall function 002064F0: lstrlenW.KERNEL32(?,?,?,001FE260), ref: 002064F5
                                • Part of subcall function 002064F0: CharPrevW.USER32(?,?,?,?,001FE260), ref: 00206512
                                • Part of subcall function 002064F0: CharPrevW.USER32(?,?,?,?,?,001FE260), ref: 0020651C
                              • SendMessageW.USER32(00001032,00000000,00000000), ref: 0020CA89
                              • lstrcpyW.KERNEL32 ref: 0020CAD5
                                • Part of subcall function 00207A20: FindResourceW.KERNEL32(00000000,?,00000005,?,?), ref: 00207A37
                                • Part of subcall function 00207A20: LoadResource.KERNEL32(00000000,00000000), ref: 00207A4A
                                • Part of subcall function 00207A20: LockResource.KERNEL32(00000000), ref: 00207A5B
                                • Part of subcall function 00207A20: SizeofResource.KERNEL32(00000000,00000000), ref: 00207A6E
                                • Part of subcall function 00207A20: LocalAlloc.KERNEL32(00000040,00000040), ref: 00207A84
                                • Part of subcall function 00207A20: FreeResource.KERNEL32(00000000), ref: 00207AA0
                                • Part of subcall function 00207A20: lstrlenW.KERNEL32(?), ref: 00207B1D
                              • DialogBoxIndirectParamW.USER32 ref: 0020CAFD
                              • LocalFree.KERNEL32(00000000,?,Function_000102C0,?), ref: 0020CB0A
                              • lstrcpyW.KERNEL32 ref: 0020CB6C
                              • lstrcatW.KERNEL32(?,?), ref: 0020CB8F
                              • lstrcpyW.KERNEL32 ref: 0020CBD3
                              • lstrcpyW.KERNEL32 ref: 0020CBE5
                              • SHFileOperationW.SHELL32(?,?,?,?,?,Function_000102C0,?), ref: 0020CBEC
                              • SendMessageW.USER32(?,00000111,00019D0D,00000000), ref: 0020CC1D
                              • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000200), ref: 0020CC3B
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Message$ResourceSend$lstrcpy$CharFileFreeLocalPrevlstrlen$AllocBeepDialogFindIndirectInfoLoadLockOperationParamSizeoflstrcat
                              • String ID:
                              • API String ID: 2905323290-0
                              • Opcode ID: e9b48fbd97af754be8d5affe9f4ac7051e43cc185d5968322db6ee0ff97bd8fb
                              • Instruction ID: 51df9a665d0e2ba1b09b701bb2f2bf07dd8abeae353275b8f1f0eb59531170dc
                              • Opcode Fuzzy Hash: e9b48fbd97af754be8d5affe9f4ac7051e43cc185d5968322db6ee0ff97bd8fb
                              • Instruction Fuzzy Hash: FE41A8B2554345ABD730DB60EC89FDBB3ECAF84300F01492AF649D3192EB709559CB52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00206950 Relevance: 18.1, APIs: 12, Instructions: 125stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpynW.KERNEL32(?,00309AE0,00000100), ref: 002069C0
                              • wsprintfW.USER32 ref: 002069F3
                              • DdeInitializeW.USER32 ref: 00206A0A
                              • DdeCreateStringHandleW.USER32 ref: 00206A2E
                              • DdeCreateStringHandleW.USER32 ref: 00206A40
                              • DdeConnect.USER32(?,00000000,00000000,00000000), ref: 00206A5A
                              • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00004050,000000FF,00000000), ref: 00206A7C
                              • DdeClientTransaction.USER32(?,00000000), ref: 00206A92
                              • DdeDisconnect.USER32 ref: 00206A99
                              • DdeFreeStringHandle.USER32 ref: 00206ABA
                              • DdeFreeStringHandle.USER32 ref: 00206AC5
                              • DdeUninitialize.USER32(?), ref: 00206ACB
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: HandleString$CreateFree$ClientConnectDisconnectInitializeTransactionUninitializelstrcpynlstrlenwsprintf
                              • String ID:
                              • API String ID: 4165874755-0
                              • Opcode ID: 7d14be51e1357818cbc8e08c79359da582d44bd8efdd056fea44e0d24af972d5
                              • Instruction ID: bdb7e323a0c077ca333af4430aeb92e56a65a83376038dc7e86f69981904de8f
                              • Opcode Fuzzy Hash: 7d14be51e1357818cbc8e08c79359da582d44bd8efdd056fea44e0d24af972d5
                              • Instruction Fuzzy Hash: AD410771614306ABDB20EF60EC0DB9B37ACEB84714F058416F945A31E1EBF5D868C791
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0020C388 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108stringfilewindowCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpyW.KERNEL32 ref: 0020C39B
                                • Part of subcall function 00204FE0: LoadStringW.USER32(0000A411,?,00000000,00000001), ref: 00204FF2
                                • Part of subcall function 00204FE0: LoadStringW.USER32(0000A411,?,?), ref: 00205008
                                • Part of subcall function 00206530: lstrlenW.KERNEL32(?,7492B060,001FFA1F), ref: 00206534
                                • Part of subcall function 00206530: CharPrevW.USER32(?,00000000,?), ref: 0020654A
                              • GetSaveFileNameW.COMDLG32 ref: 0020C451
                              • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000002,00000080,00000000), ref: 0020C479
                              • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000058), ref: 0020C4A2
                              • lstrcpyW.KERNEL32 ref: 0020C4B8
                              • PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,00000000,00000058), ref: 0020C4C2
                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00000000,00000058), ref: 0020C4D0
                              • SendMessageW.USER32(?,00000111,00019D0D,00000000), ref: 0020C4E9
                              • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000200), ref: 0020C507
                                • Part of subcall function 00204140: GetShortPathNameW.KERNEL32 ref: 002041A1
                                • Part of subcall function 00204140: SendMessageW.USER32 ref: 00204229
                                • Part of subcall function 00204140: GetShortPathNameW.KERNEL32 ref: 00204254
                                • Part of subcall function 00204140: lstrcmpiW.KERNEL32(?,?), ref: 00204266
                                • Part of subcall function 00204140: SendMessageW.USER32(?,00001053,00000000,?), ref: 0020427C
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: File$MessageNamePathSend$LoadShortStringlstrcpy$CharCloseCreateCurrentDirectoryHandleInfoPrevRemoveSaveSpeclstrcmpilstrlen
                              • String ID: X
                              • API String ID: 394757100-3081909835
                              • Opcode ID: 2a799d82652ef8eff59770572ffe9d1c52d6c7877c996dc0a226d55627e217cf
                              • Instruction ID: e3dacedfecb905283ebaaebb0ff6c97acfea3fd06ac77a27e5d6d57b0c8b0e28
                              • Opcode Fuzzy Hash: 2a799d82652ef8eff59770572ffe9d1c52d6c7877c996dc0a226d55627e217cf
                              • Instruction Fuzzy Hash: E34186B55553449BF730EB60EC49FDBB3E8AB84300F458929F689971C2EBB06258CF52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 001F4070 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 80fileCOMMON
                              Download Yara Rule
                              APIs
                              • StrRChrW.SHLWAPI(00308DE8,00000000,0000005C,?,?,?,001F54A3), ref: 001F408A
                              • SHCreateDirectoryExW.SHELL32(00000000,00308DE8,00000000,?,?,?,001F54A3), ref: 001F40A2
                              • PathFileExistsW.SHLWAPI(00308DE8,?,?,?,001F54A3), ref: 001F40B5
                              • PathIsDirectoryW.SHLWAPI(00308DE8), ref: 001F40C4
                              • CreateFileW.KERNEL32(00308DE8,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,001F54A3), ref: 001F40E3
                              • GetFileSize.KERNEL32(00000000,?), ref: 001F40FE
                              • CloseHandle.KERNEL32(00000000), ref: 001F4107
                              • CreateFileW.KERNEL32(00308DE8,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,001F54A3), ref: 001F4131
                              • CloseHandle.KERNEL32(00000000,?,?,?,001F54A3), ref: 001F413D
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: File$Create$CloseDirectoryHandlePath$ExistsSize
                              • String ID: minipath
                              • API String ID: 3237904083-3157150768
                              • Opcode ID: 96a99b8743737cd6302fedbfdd0985a6f2a53bcb2fe100918e40761cecc1c634
                              • Instruction ID: d09ad18236285dede146e4e8833c972ae104f0ff2efa22c6d766a26e1e7aea18
                              • Opcode Fuzzy Hash: 96a99b8743737cd6302fedbfdd0985a6f2a53bcb2fe100918e40761cecc1c634
                              • Instruction Fuzzy Hash: 2421D6353413007BF6313B68BC0EF7B26589FA0B22F254229FB45E61E0EBF098845265
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00206640 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 59stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcmpW.KERNEL32(?,0027E2D8,0000C356,74CF8250,0020F8E3,?), ref: 00206650
                              • lstrcmpW.KERNEL32(?,0027E2E0), ref: 0020665C
                              • lstrcmpW.KERNEL32(?,0027E2D8), ref: 00206668
                              • PathIsRootW.SHLWAPI(0030BF0C), ref: 00206673
                              • lstrcpynW.KERNEL32(?,*.*,00000104), ref: 0020668B
                              • SearchPathW.KERNEL32(0030BF0C,?,00000000,00000104,?,00000000), ref: 002066B4
                              • SearchPathW.KERNEL32(C:\Users\user\Documents,?,00000000,00000104,?,00000000), ref: 002066CE
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Pathlstrcmp$Search$Rootlstrcpyn
                              • String ID: *.*$C:\Users\user\Documents
                              • API String ID: 2623810893-1877673298
                              • Opcode ID: cc839bd3be2208ad1c05bacc70c292c8cdc4c22e8412ac18ed3c942c4676ad0d
                              • Instruction ID: b944826c61e212d5f59ca4d541ccdefa15509c326157ddd9172722b96f65ebf0
                              • Opcode Fuzzy Hash: cc839bd3be2208ad1c05bacc70c292c8cdc4c22e8412ac18ed3c942c4676ad0d
                              • Instruction Fuzzy Hash: E001B1753913137BEF145A26AC1EFAF169C8F82B60F068528F904E61C0EAE5DC614969
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00200410 Relevance: 15.1, APIs: 10, Instructions: 132stringwindowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00203CE0: SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00203D18
                                • Part of subcall function 00203CE0: SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 00203D28
                                • Part of subcall function 00203CE0: SendMessageW.USER32(?,?,?,0000104B), ref: 00203D4D
                                • Part of subcall function 002064F0: lstrlenW.KERNEL32(?,?,?,001FE260), ref: 002064F5
                                • Part of subcall function 002064F0: CharPrevW.USER32(?,?,?,?,001FE260), ref: 00206512
                                • Part of subcall function 002064F0: CharPrevW.USER32(?,?,?,?,?,001FE260), ref: 0020651C
                              • lstrcpyW.KERNEL32 ref: 00200476
                                • Part of subcall function 00207A20: FindResourceW.KERNEL32(00000000,?,00000005,?,?), ref: 00207A37
                                • Part of subcall function 00207A20: LoadResource.KERNEL32(00000000,00000000), ref: 00207A4A
                                • Part of subcall function 00207A20: LockResource.KERNEL32(00000000), ref: 00207A5B
                                • Part of subcall function 00207A20: SizeofResource.KERNEL32(00000000,00000000), ref: 00207A6E
                                • Part of subcall function 00207A20: LocalAlloc.KERNEL32(00000040,00000040), ref: 00207A84
                                • Part of subcall function 00207A20: FreeResource.KERNEL32(00000000), ref: 00207AA0
                                • Part of subcall function 00207A20: lstrlenW.KERNEL32(?), ref: 00207B1D
                              • DialogBoxIndirectParamW.USER32 ref: 0020049A
                              • LocalFree.KERNEL32(00000000,?,Function_000102C0,?), ref: 002004A7
                              • lstrcpyW.KERNEL32 ref: 00200503
                              • lstrcatW.KERNEL32(?,?), ref: 00200526
                              • lstrcpyW.KERNEL32 ref: 0020056A
                              • lstrcpyW.KERNEL32 ref: 0020057C
                              • SHFileOperationW.SHELL32(?,?,?,?,?,Function_000102C0,?), ref: 00200583
                              • SendMessageW.USER32(?,00000111,00019D0D,00000000), ref: 002005AD
                              • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000200), ref: 002005CC
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Resource$MessageSendlstrcpy$CharFileFreeLocalPrevlstrlen$AllocDialogFindIndirectInfoLoadLockOperationParamSizeoflstrcat
                              • String ID:
                              • API String ID: 606905921-0
                              • Opcode ID: bd274af609952b77010b5baa979523b5c7b0d6a6c27343fa44a42417f8c3b4d9
                              • Instruction ID: 2a75d94af04990af28a0b83498979b7126620235138d4f1200f80c881b35ecc8
                              • Opcode Fuzzy Hash: bd274af609952b77010b5baa979523b5c7b0d6a6c27343fa44a42417f8c3b4d9
                              • Instruction Fuzzy Hash: 214162B25143449BD720EB60EC89FDF73ECAB98704F40492AF649D3181EB74E6548B96
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0021631D Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 303COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • type_info::operator==.LIBVCRUNTIME ref: 0021643C
                              • ___TypeMatch.LIBVCRUNTIME ref: 0021654A
                              • _UnwindNestedFrames.LIBCMT ref: 0021669C
                              • CallUnexpected.LIBVCRUNTIME ref: 002166B7
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                              • String ID: csm$csm$csm$lU'
                              • API String ID: 2751267872-4067131230
                              • Opcode ID: a864990fbc5aa80159612c20b33f0e5f370b530130b304e906ded607a03b20f9
                              • Instruction ID: 5d49f38c55e049ff8e5abca0672043a69802b2254ac61526260adbadafc7e596
                              • Opcode Fuzzy Hash: a864990fbc5aa80159612c20b33f0e5f370b530130b304e906ded607a03b20f9
                              • Instruction Fuzzy Hash: EDB18C7182021AEFCF24DFA4C8899EEB7F9FF64310B114199E8116B216D335DAA1CF91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00218FC3 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 151COMMON
                              Download Yara Rule
                              APIs
                              • DName::operator+.LIBCMT ref: 00219051
                              • DName::operator+.LIBCMT ref: 002190A4
                                • Part of subcall function 00217B49: shared_ptr.LIBCMT ref: 00217B65
                                • Part of subcall function 00217A38: DName::operator+.LIBCMT ref: 00217A59
                              • DName::operator+.LIBCMT ref: 00219095
                              • DName::operator+.LIBCMT ref: 002190F5
                              • DName::operator+.LIBCMT ref: 00219102
                              • DName::operator+.LIBCMT ref: 00219149
                              • DName::operator+.LIBCMT ref: 00219156
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Name::operator+$shared_ptr
                              • String ID: j'
                              • API String ID: 1037112749-4245989812
                              • Opcode ID: 1f9016bb487cd5429727c87ac8c055a460ab7fba058e3a0b0c4796805312e55d
                              • Instruction ID: ee863cecca4f1e42b6f3bf483213668229b3299d37f6cc2619d5939bd4bab51d
                              • Opcode Fuzzy Hash: 1f9016bb487cd5429727c87ac8c055a460ab7fba058e3a0b0c4796805312e55d
                              • Instruction Fuzzy Hash: 46515EB1924219AFDB15DF94C855EEEBBF8AF68700F04405AF506A7181EB709BD4CFA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 002072B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103stringmemorywindowCOMMON
                              Download Yara Rule
                              APIs
                              • LocalAlloc.KERNEL32(00000040,00000268), ref: 002072D3
                              • lstrcpynW.KERNEL32(00000000,Copy/Move MRU,00000100), ref: 00207304
                              • lstrcpynW.KERNEL32(?,?,00000104), ref: 0020736D
                              • lstrlenW.KERNEL32(?), ref: 00207378
                              • SendMessageW.USER32(00000143,00000143,00000000,?), ref: 0020738E
                              • LocalFree.KERNEL32(00000000), ref: 002073AD
                              • LocalFree.KERNEL32(?), ref: 002073CD
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Local$Freelstrcpyn$AllocMessageSendlstrlen
                              • String ID: Copy/Move MRU
                              • API String ID: 876074594-4109381532
                              • Opcode ID: 30d52106b050f54dbe9701ad383197b17ddeec7d0df84bda20ef80438a1a95b4
                              • Instruction ID: 94f91c5fcd770d6a5c229ffc453b9ad34eacc7c0ad9d076b97b1b1ef48f9265a
                              • Opcode Fuzzy Hash: 30d52106b050f54dbe9701ad383197b17ddeec7d0df84bda20ef80438a1a95b4
                              • Instruction Fuzzy Hash: 57310471A58302ABF7209F14EC8AB9AB7A4FF50700F154568FD45AB1C2DBB0F8548B91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0020CC5D Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86windowCOMMON
                              Download Yara Rule
                              APIs
                              • MessageBeep.USER32(00000000), ref: 0020C0CC
                              • SendMessageW.USER32(00001032,00000000,00000000), ref: 0020CC72
                              • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 0020CC8C
                              • SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 0020CCA0
                              • SendMessageW.USER32 ref: 0020CCCF
                              • GetParent.USER32(?), ref: 0020CCFB
                              • GetParent.USER32(?), ref: 0020CD1B
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Message$Send$Parent$Beep
                              • String ID: $
                              • API String ID: 3721797063-3993045852
                              • Opcode ID: ad9f20caed8dcc9745c075c01c7645f394815d8f679968e11fc1c0d0445d5251
                              • Instruction ID: cecb2ce9e88b162e36408f22007ddbd8b5486f7f369880107835c31c31877349
                              • Opcode Fuzzy Hash: ad9f20caed8dcc9745c075c01c7645f394815d8f679968e11fc1c0d0445d5251
                              • Instruction Fuzzy Hash: 55317CB0208301AFE720CF10CC85B5BBBE8BB88754F404919F6899B2D1CBB1E844CB61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 001F4320 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 85stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001F33B0: lstrlenW.KERNEL32(?,?), ref: 001F3516
                                • Part of subcall function 001F4160: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,769C3E10,74CF8250,?,769CCB20), ref: 001F418A
                                • Part of subcall function 001F4160: PathIsRelativeW.SHLWAPI(?,?,769CCB20), ref: 001F4198
                                • Part of subcall function 001F4160: lstrcpyW.KERNEL32 ref: 001F41B2
                                • Part of subcall function 001F4160: PathFindFileNameW.SHLWAPI(?,?,?,769CCB20), ref: 001F41C1
                                • Part of subcall function 001F4160: lstrcpyW.KERNEL32 ref: 001F41C8
                                • Part of subcall function 001F4160: PathFileExistsW.KERNELBASE(?,?,769CCB20), ref: 001F41CF
                                • Part of subcall function 001F4160: PathIsDirectoryW.SHLWAPI(?), ref: 001F41E4
                                • Part of subcall function 001F4160: lstrcpyW.KERNEL32 ref: 001F41F4
                                • Part of subcall function 001F4160: PathRemoveFileSpecW.SHLWAPI(?,?,769CCB20), ref: 001F41FB
                                • Part of subcall function 001F4160: lstrcatW.KERNEL32(?,\np3\), ref: 001F4211
                                • Part of subcall function 001F4160: lstrcatW.KERNEL32(?,?), ref: 001F4220
                                • Part of subcall function 001F4160: PathFileExistsW.KERNELBASE(?,?,769CCB20), ref: 001F4227
                                • Part of subcall function 001F4160: PathIsDirectoryW.SHLWAPI(?), ref: 001F4236
                                • Part of subcall function 001F4160: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,769CCB20), ref: 001F424F
                                • Part of subcall function 001F4160: PathAppendW.SHLWAPI(?,?,?,769CCB20), ref: 001F4262
                                • Part of subcall function 001F4160: PathFileExistsW.KERNELBASE(?,?,769CCB20), ref: 001F426D
                                • Part of subcall function 001F4160: PathIsDirectoryW.SHLWAPI(?), ref: 001F427C
                              • lstrcpyW.KERNEL32 ref: 001F437D
                              • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,769C3E10,74CF8250), ref: 001F43B1
                              • PathIsRelativeW.SHLWAPI(?,?,?,769C3E10,74CF8250), ref: 001F43BF
                              • lstrcpyW.KERNEL32 ref: 001F43D1
                              • PathFindFileNameW.SHLWAPI(?,?,?,?,769C3E10,74CF8250), ref: 001F43DC
                              • lstrcpyW.KERNEL32 ref: 001F43E3
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Path$Filelstrcpy$DirectoryExists$EnvironmentExpandFindNameRelativeStringslstrcat$AppendFolderRemoveSpeclstrlen
                              • String ID: minipath.ini
                              • API String ID: 785113118-2848199397
                              • Opcode ID: c8873a85ff893aae967b624ffb2bbdbcda9d8d0d87bf36461da038492778de03
                              • Instruction ID: c80fd0f1552f916071c519ff8d8e24e504017816432a6481bc87e4c9a7e55c19
                              • Opcode Fuzzy Hash: c8873a85ff893aae967b624ffb2bbdbcda9d8d0d87bf36461da038492778de03
                              • Instruction Fuzzy Hash: 592174B66142185BD720EB24EC85BFF73ECABE8310F45442EF649C3150EA74D5998B63
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0020D049 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 81stringwindowCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpyW.KERNEL32 ref: 0020D056
                                • Part of subcall function 00207A20: FindResourceW.KERNEL32(00000000,?,00000005,?,?), ref: 00207A37
                                • Part of subcall function 00207A20: LoadResource.KERNEL32(00000000,00000000), ref: 00207A4A
                                • Part of subcall function 00207A20: LockResource.KERNEL32(00000000), ref: 00207A5B
                                • Part of subcall function 00207A20: SizeofResource.KERNEL32(00000000,00000000), ref: 00207A6E
                                • Part of subcall function 00207A20: LocalAlloc.KERNEL32(00000040,00000040), ref: 00207A84
                                • Part of subcall function 00207A20: FreeResource.KERNEL32(00000000), ref: 00207AA0
                                • Part of subcall function 00207A20: lstrlenW.KERNEL32(?), ref: 00207B1D
                              • DialogBoxIndirectParamW.USER32 ref: 0020D07E
                              • LocalFree.KERNEL32(00000000,?,Function_0000FEA0,00000000), ref: 0020D08B
                              • lstrcmpiW.KERNEL32(0030D39C,?,?,Function_0000FEA0,00000000), ref: 0020D0A7
                              • SendMessageW.USER32(?,00000111,00019D0D,00000000), ref: 0020D0FB
                              • SendMessageW.USER32(00001013,00000000,00000000,00000000), ref: 0020D12F
                              • lstrcmpW.KERNEL32(0030D39C,*.*,?,Function_0000FEA0,00000000), ref: 0020D13B
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Resource$FreeLocalMessageSend$AllocDialogFindIndirectLoadLockParamSizeoflstrcmplstrcmpilstrcpylstrlen
                              • String ID: *.*
                              • API String ID: 773039121-438819550
                              • Opcode ID: 308c63f70362906addef1ac65181620ee8ba60e8f3181f3d299a4f669f4c5025
                              • Instruction ID: 24b8c7d890c5205b44463ec0231afc707d955e56d7a0ca42f14938c7548a8a9b
                              • Opcode Fuzzy Hash: 308c63f70362906addef1ac65181620ee8ba60e8f3181f3d299a4f669f4c5025
                              • Instruction Fuzzy Hash: 02210A75615341ABE730AF60FC59BEBB3ACEB40314F044426F60D921D2DBB55865CB52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00204460 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 54windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,0000200B,00000000,Explorer), ref: 0020448F
                              • SendMessageW.USER32(?,00000155,00000001,00000000), ref: 0020449B
                              • SHGetFileInfoW.SHELL32(C:\,00000000,?,000002B4,00004001), ref: 002044C7
                              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 002044D6
                              • SendMessageW.USER32(?,0000040E,00000008,00000008), ref: 002044E2
                              • SendMessageW.USER32(?,0000040E,00000020,00000020), ref: 002044EE
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: MessageSend$FileInfo
                              • String ID: C:\$Explorer
                              • API String ID: 521633743-4050850895
                              • Opcode ID: ef4b6e46fd6f033758e243bbcc3c249360dc88fe65596874ebc92a1516dc80aa
                              • Instruction ID: c019801e24859161f483651ec28aafb7704816fb0ee61484635acbccd6406100
                              • Opcode Fuzzy Hash: ef4b6e46fd6f033758e243bbcc3c249360dc88fe65596874ebc92a1516dc80aa
                              • Instruction Fuzzy Hash: AB018F717D031476F630A710AC8BFAE3BACAB99F10F40440AB708BE1C1DAF464558BA6
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0020C8F1 Relevance: 13.6, APIs: 9, Instructions: 104windowstringsynchronizationCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00203CE0: SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00203D18
                                • Part of subcall function 00203CE0: SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 00203D28
                                • Part of subcall function 00203CE0: SendMessageW.USER32(?,?,?,0000104B), ref: 00203D4D
                              • lstrcpyW.KERNEL32 ref: 0020C95E
                              • SHFileOperationW.SHELL32(?), ref: 0020C9C8
                              • WaitForSingleObject.KERNEL32(00000000), ref: 0020C9D6
                              • SendMessageW.USER32(?,00000111,00019D0D,00000000), ref: 0020C9F6
                              • SendMessageW.USER32(00001004,00000000,00000000), ref: 0020CA0C
                              • SendMessageW.USER32(00001004,00000000,00000000), ref: 0020CA22
                              • SendMessageW.USER32(0000102B,00000000,?), ref: 0020CA51
                              • SendMessageW.USER32(00001013,00000000,00000000), ref: 0020CA61
                              • FindNextChangeNotification.KERNEL32 ref: 0020CA69
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: MessageSend$ChangeFileFindNextNotificationObjectOperationSingleWaitlstrcpy
                              • String ID:
                              • API String ID: 1797783416-0
                              • Opcode ID: 39f527987d985793fc71a7068bcb128b3ead458fc4e29ee23caaf08c70c19c15
                              • Instruction ID: 6cbc8c6959e9e50e5d8f9742eab41157ec5e74ddf75c32fa44fcb7d05bf476cf
                              • Opcode Fuzzy Hash: 39f527987d985793fc71a7068bcb128b3ead458fc4e29ee23caaf08c70c19c15
                              • Instruction Fuzzy Hash: 1D4106B5514345ABE7309F20EC48BDBB7E8FB84714F11461AF288961E0D7B19884CF52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00204546 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 184memoryCOMMON
                              Download Yara Rule
                              APIs
                              • SHGetSpecialFolderLocation.SHELL32(?,00000011,?), ref: 0020457E
                              • SHGetDesktopFolder.SHELL32(?,?,00000011,?), ref: 00204591
                              • SHGetDataFromIDListW.SHELL32(?,?,00000003,?,00000014), ref: 00204643
                              • CoTaskMemAlloc.OLE32(00000008,?,?,?,00000020,?,?,00000011,?), ref: 0020465F
                              • CoTaskMemFree.OLE32(?,?,00000011,?), ref: 0020472E
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: FolderTask$AllocDataDesktopFreeFromListLocationSpecial
                              • String ID: $'
                              • API String ID: 1299561470-2481900351
                              • Opcode ID: 5c23af8631b58bd7db7219eec4a6c1a17bd9d07a05d62f243abee309ed21e688
                              • Instruction ID: 0d030b10eb758aade9869bb44311c34a50c796712687a7a0e8648d14bb233111
                              • Opcode Fuzzy Hash: 5c23af8631b58bd7db7219eec4a6c1a17bd9d07a05d62f243abee309ed21e688
                              • Instruction Fuzzy Hash: 53610771204302AFD710DF58DC81F6AB7E8AFC9B04F10891CF694DB2A1DBB1E9568B52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00214670 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 135COMMON
                              Download Yara Rule
                              APIs
                              • _ValidateLocalCookies.LIBCMT ref: 002146A7
                              • ___except_validate_context_record.LIBVCRUNTIME ref: 002146AF
                              • _ValidateLocalCookies.LIBCMT ref: 00214738
                              • __IsNonwritableInCurrentImage.LIBCMT ref: 00214763
                              • _ValidateLocalCookies.LIBCMT ref: 002147B8
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                              • String ID: csm$7!
                              • API String ID: 1170836740-2927358783
                              • Opcode ID: 2074582c62563e1c188bfff72818113a1584ec5583ef2b339e3c51136f3ecc5a
                              • Instruction ID: 6edf6ef7143829134870b16ff2937482a999e4f445ee687bb6259fb006e88836
                              • Opcode Fuzzy Hash: 2074582c62563e1c188bfff72818113a1584ec5583ef2b339e3c51136f3ecc5a
                              • Instruction Fuzzy Hash: 4D519474A202199FCB10EF58D8849DEBBE5AF56314F148095E81C9B392D731EAA6CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00204810 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,00000146,00000000,00000000), ref: 00204842
                              • SendMessageW.USER32(?,0000040D,00000000,00000020), ref: 00204871
                              • StrRetToBufW.SHLWAPI(?,7490BB20,?,00000040), ref: 002048A3
                              • PathIsSameRootW.SHLWAPI(00000020,?), ref: 002048B5
                              • SendMessageW.USER32(?,0000014E,00000001,00000000), ref: 002048D4
                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002048FA
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: MessageSend$PathRootSame
                              • String ID:
                              • API String ID: 2384681124-3916222277
                              • Opcode ID: bb2e0d00591c8acc1947a4c0157e36cf03e2cb7faf4e6d9b3550efb18b5cfb3b
                              • Instruction ID: 93c5e64aa06de7eca2c9f023c2cd8f80c33beb30b09e8820ccc1d29a89f9a4e8
                              • Opcode Fuzzy Hash: bb2e0d00591c8acc1947a4c0157e36cf03e2cb7faf4e6d9b3550efb18b5cfb3b
                              • Instruction Fuzzy Hash: 422192B1204345AFE720DF55EC45FABB7ECEB88B00F018429F648971D1D7B0E8148B61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 001F28E0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00308DE8,C0000000,00000003,00000000,00000004,00000080,00000000), ref: 001F2928
                              • LockFileEx.KERNEL32(00000000,00000002,00000000,000000FF,00000000,?), ref: 001F2947
                              • FlushFileBuffers.KERNEL32(7491C0B0,7491C0B0), ref: 001F299A
                              • UnlockFileEx.KERNEL32(7491C0B0,00000000,000000FF,00000000,?), ref: 001F29AC
                              • CloseHandle.KERNEL32(7491C0B0), ref: 001F29B3
                                • Part of subcall function 00202F30: GetLastError.KERNEL32(?,00000000,?,?,001F2773), ref: 00202F39
                                • Part of subcall function 00202F30: FormatMessageW.KERNEL32 ref: 00202F63
                                • Part of subcall function 00202F30: lstrlenW.KERNEL32(00000000,00000000,00308DE8), ref: 00202F7A
                                • Part of subcall function 00202F30: lstrlenW.KERNEL32(00000000), ref: 00202F82
                                • Part of subcall function 00202F30: LocalAlloc.KERNEL32(00000040,00000000), ref: 00202F92
                                • Part of subcall function 00202F30: GetFocus.USER32(00000000,00000000,?,?,00000000,00000000,?,?,001F2773), ref: 00202FBF
                                • Part of subcall function 00202F30: MessageBoxExW.USER32 ref: 00202FDA
                                • Part of subcall function 00202F30: LocalFree.KERNEL32(00000000,?,?,001F2773), ref: 00202FE1
                                • Part of subcall function 00202F30: LocalFree.KERNEL32(?), ref: 00202FE7
                              Strings
                              • AcquireWriteFileLock(): NO EXCLUSIVE LOCK ACQUIRED!, xrefs: 001F2956
                              • AcquireWriteFileLock(): INVALID FILE HANDLE!, xrefs: 001F29C2
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: File$Local$FreeMessagelstrlen$AllocBuffersCloseCreateErrorFlushFocusFormatHandleLastLockUnlock
                              • String ID: AcquireWriteFileLock(): INVALID FILE HANDLE!$AcquireWriteFileLock(): NO EXCLUSIVE LOCK ACQUIRED!
                              • API String ID: 3792989122-250906885
                              • Opcode ID: b33471676a3f6ab61f51facbd34628324068ff0e8bd3a7cbad8c595acad55f3b
                              • Instruction ID: dbaff0d3637631853802acefb03ecec69d86e81cfc79198017eacfa61ece0f78
                              • Opcode Fuzzy Hash: b33471676a3f6ab61f51facbd34628324068ff0e8bd3a7cbad8c595acad55f3b
                              • Instruction Fuzzy Hash: DD216D3135131363E72167289C4DB7A3258BFC1338F254326FB65E70D0DBF458498265
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 002031C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34COMMON
                              Download Yara Rule
                              APIs
                              • GetPropW.USER32(00000000,DirListData), ref: 002031CA
                                • Part of subcall function 00203280: GetPropW.USER32(?,DirListData), ref: 0020328A
                                • Part of subcall function 00203280: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,00203420,?,?), ref: 00203298
                                • Part of subcall function 00203280: WaitForSingleObject.KERNEL32(?,00000000,?,?,?,?,?,?,?,00203420,?,?), ref: 002032A6
                                • Part of subcall function 00203280: PeekMessageW.USER32 ref: 002032D2
                                • Part of subcall function 00203280: TranslateMessage.USER32(?), ref: 002032DD
                                • Part of subcall function 00203280: DispatchMessageW.USER32 ref: 002032E4
                                • Part of subcall function 00203280: WaitForSingleObject.KERNEL32(?,00000000,?,?,?,?,?,?,?,00203420,?,?), ref: 002032EE
                                • Part of subcall function 00203280: ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,00203420,?,?), ref: 00203301
                                • Part of subcall function 00203280: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,00203420,?,?), ref: 0020330D
                              • CloseHandle.KERNEL32(?), ref: 002031DF
                              • CloseHandle.KERNEL32(?), ref: 002031EB
                              • CoTaskMemFree.OLE32(?), ref: 002031F9
                              • RemovePropW.USER32 ref: 00203214
                              • GlobalFree.KERNEL32 ref: 0020321B
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: EventMessageProp$CloseFreeHandleObjectSingleWait$DispatchGlobalPeekRemoveResetTaskTranslate
                              • String ID: DirListData
                              • API String ID: 222544525-869039069
                              • Opcode ID: 3a860e15d9602339ad62950fcd6a9daa19d541eb30f0f7ca615d7bf3dae188da
                              • Instruction ID: 6eeccddf11e34b9fb0e338590a6bcd71cfd494deab3f222308128e79adb8ce74
                              • Opcode Fuzzy Hash: 3a860e15d9602339ad62950fcd6a9daa19d541eb30f0f7ca615d7bf3dae188da
                              • Instruction Fuzzy Hash: 05F03035310201AFEF04AFB5EC8DD19B768BF493123058528F41AC2161CBB0DC608A20
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 002663B0 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,00266680,00000000,00000000,?,00000000,?,?,?,?,00000000,?), ref: 00266456
                              • __alloca_probe_16.LIBCMT ref: 00266511
                              • __alloca_probe_16.LIBCMT ref: 002665A0
                              • __freea.LIBCMT ref: 002665EB
                              • __freea.LIBCMT ref: 002665F1
                              • __freea.LIBCMT ref: 00266627
                              • __freea.LIBCMT ref: 0026662D
                              • __freea.LIBCMT ref: 0026663D
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: __freea$__alloca_probe_16$Info
                              • String ID:
                              • API String ID: 127012223-0
                              • Opcode ID: f1b616d51afebb79b1444f2f86451ad0f160b8f7e32f5e1ccac19da4e514a20d
                              • Instruction ID: 2fd8bfa90d7f55dfcb0e81083ff5b754b209e39b61d4ff42437ed11182906b75
                              • Opcode Fuzzy Hash: f1b616d51afebb79b1444f2f86451ad0f160b8f7e32f5e1ccac19da4e514a20d
                              • Instruction Fuzzy Hash: 80712772924207ABDF319F64DC4ABAE7BB9AF45310F180059E905B7281DB75DCA48BA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00202D90 Relevance: 12.1, APIs: 8, Instructions: 126stringwindowCOMMON
                              Download Yara Rule
                              APIs
                              • LoadStringW.USER32(?,?,00000200), ref: 00202DEB
                              • LoadStringW.USER32(?,?,00000200), ref: 00202E09
                              • StrChrW.SHLWAPI(?,0000000A,?,?,?,?,?,?,?,?,74CF8250), ref: 00202E78
                              • lstrcpyW.KERNEL32 ref: 00202E90
                              • lstrcpyW.KERNEL32 ref: 00202EB0
                              • lstrcpyW.KERNEL32 ref: 00202EBC
                              • GetFocus.USER32(?,?,?,?,?,?,?,?,74CF8250), ref: 00202EBE
                              • MessageBoxExW.USER32 ref: 00202F01
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: lstrcpy$LoadString$FocusMessage
                              • String ID:
                              • API String ID: 3506571364-0
                              • Opcode ID: 8e46b8a2ee58ac184b1574aee5bb20f79a9bc2003b36496cf48dedbf98074c0b
                              • Instruction ID: 5fef964613c9f03b142eaa2b0df7e0a2f14a34ca14a222ed1619132a9b7e63aa
                              • Opcode Fuzzy Hash: 8e46b8a2ee58ac184b1574aee5bb20f79a9bc2003b36496cf48dedbf98074c0b
                              • Instruction Fuzzy Hash: 1241C3B5510315EBD721DB20EC49BEB77ECEF48300F40882AF68AD3191EA74E5598B92
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00204140 Relevance: 12.1, APIs: 8, Instructions: 122windowstringCOMMON
                              Download Yara Rule
                              APIs
                              • GetShortPathNameW.KERNEL32 ref: 002041A1
                              • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000200), ref: 002041F5
                              • SendMessageW.USER32 ref: 00204229
                              • GetShortPathNameW.KERNEL32 ref: 00204254
                              • lstrcmpiW.KERNEL32(?,?), ref: 00204266
                              • SendMessageW.USER32(?,00001053,00000000,?), ref: 0020427C
                              • SendMessageW.USER32(?,0000102B,00000000,?), ref: 002042BC
                              • SendMessageW.USER32(?,00001013,00000000,00000000), ref: 002042C7
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: MessageSend$NamePathShort$FileInfolstrcmpi
                              • String ID:
                              • API String ID: 2457365294-0
                              • Opcode ID: 2aa00b5c2fc6256536898b1372e7fdc8d7c2564ce3544be7ac917d2c004fba64
                              • Instruction ID: be730a18a0f6eb3c251015e0bd1e95434fbc88a4690649a2f016aa2ccdc6de20
                              • Opcode Fuzzy Hash: 2aa00b5c2fc6256536898b1372e7fdc8d7c2564ce3544be7ac917d2c004fba64
                              • Instruction Fuzzy Hash: 5341D1B1604301ABE730EF24DC85FABB3ECEB88710F00451DFA58971D1E6B4DA448A62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00207010 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 115stringCOMMON
                              Download Yara Rule
                              APIs
                              • LocalFree.KERNEL32(0027FD20,23499D16,749048C0,00000204), ref: 00207069
                              • lstrlenW.KERNEL32(?,?,?,?,23499D16,749048C0,00000204), ref: 002070E0
                              • StrDupW.SHLWAPI(?,?,?,?,23499D16,749048C0,00000204), ref: 0020713B
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: FreeLocallstrlen
                              • String ID: "$"$%.2i
                              • API String ID: 3681330831-3884397407
                              • Opcode ID: ea893616e4bf344343a28449c96ccb7b78fa47a2a500a681e91f46cf0740dc12
                              • Instruction ID: 58c641f254f027924f18e9cadb6cdfc55f7734691bb0dc0f783bbba4b7fc9fbd
                              • Opcode Fuzzy Hash: ea893616e4bf344343a28449c96ccb7b78fa47a2a500a681e91f46cf0740dc12
                              • Instruction Fuzzy Hash: 3B41B171D1431D9BCB10EF65DC49BAAB3F9FB04310F0181A9E859A3282DB71A9548FE0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00204910 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 86windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00204931
                              • SendMessageW.USER32 ref: 0020495B
                              • GetParent.USER32(?), ref: 00204976
                              • GetParent.USER32(?), ref: 00204997
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: MessageParentSend
                              • String ID: $$
                              • API String ID: 928151917-182950533
                              • Opcode ID: 4f8654029db29a522f1cbdeb765d3b2c3785d79f10e6e1ec9b10a9452606269c
                              • Instruction ID: 42318b2f8fdd066c27fd43b6a8d331b8927f1512a24e17fcd47690d2032a3720
                              • Opcode Fuzzy Hash: 4f8654029db29a522f1cbdeb765d3b2c3785d79f10e6e1ec9b10a9452606269c
                              • Instruction Fuzzy Hash: FA218071204304AFE700DF58DC84B57BBE8FB88764F50452EF959D7290D7B5E9098B92
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0025304D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMON
                              Download Yara Rule
                              APIs
                              • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,23499D16,?,0025315A,?,?,?,00000000), ref: 0025310E
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: FreeLibrary
                              • String ID: api-ms-$ext-ms-
                              • API String ID: 3664257935-537541572
                              • Opcode ID: ca58ba18d8278ddf147d7f333516928f6de966db183d19f1ed298edb19631b82
                              • Instruction ID: b395f4f9737b9cc9960fe4d6416800183de087d0f8578187431df638500f656c
                              • Opcode Fuzzy Hash: ca58ba18d8278ddf147d7f333516928f6de966db183d19f1ed298edb19631b82
                              • Instruction Fuzzy Hash: 7B21EB35621311ABCB32DF24EC45A5A3758AF417A1F265120ED46A72D0EB71EE24CAD4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0020CD9F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0020CDB5
                              • SendMessageW.USER32 ref: 0020CDD9
                              • GetParent.USER32(?), ref: 0020CDFA
                              • GetParent.USER32(?), ref: 0020CE1A
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: MessageParentSend
                              • String ID: $$
                              • API String ID: 928151917-182950533
                              • Opcode ID: fcbcfc46f06d3733083783d01cb0f295b29fe33f71514f8e8a5fe80343555fc1
                              • Instruction ID: 49dc1e338cab6992fa99252f621208d7477c6fc5c2a1b2c3388e5b4279f94cba
                              • Opcode Fuzzy Hash: fcbcfc46f06d3733083783d01cb0f295b29fe33f71514f8e8a5fe80343555fc1
                              • Instruction Fuzzy Hash: 6D2157B1208300AFE710CF24CC84B5BBBE8EF88714F004919F6599B2A1C7B2E8458F62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0020931A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57windowstringCOMMON
                              Download Yara Rule
                              APIs
                              • DefWindowProcW.USER32 ref: 0020931E
                              • lstrcmpW.KERNEL32(0030D39C,*.*), ref: 00209330
                              • SendMessageW.USER32(00001024,00000000,00D77800), ref: 0020939A
                              • SendMessageW.USER32(00001004,00000000,00000000), ref: 002093AB
                              • SendMessageW.USER32(00001015,00000000,-00000001), ref: 002093BC
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: MessageSend$ProcWindowlstrcmp
                              • String ID: *.*
                              • API String ID: 3670981246-438819550
                              • Opcode ID: 46547911283c739fa1fd5bbe41d3dfdc5ccb5a4741353df9f39d6e9b3b5f8d67
                              • Instruction ID: e24004917b7e9be85a85046ad5ad1d6a2898b35f83ebfc6488b1915bafd419df
                              • Opcode Fuzzy Hash: 46547911283c739fa1fd5bbe41d3dfdc5ccb5a4741353df9f39d6e9b3b5f8d67
                              • Instruction Fuzzy Hash: 4311A530225305EADB215B61FC1ABBA3668E745704F184057F606961E3DBF15C90DF61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00214584 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON
                              Download Yara Rule
                              APIs
                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00214590
                                • Part of subcall function 00214121: std::exception::exception.LIBCONCRT ref: 0021412E
                                • Part of subcall function 002159E1: RaiseException.KERNEL32(E06D7363,00000001,00000003,002139B2,?,?,?,?,002139B2,?,00280B3C), ref: 00215A41
                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 002145B0
                                • Part of subcall function 00214195: std::exception::exception.LIBCONCRT ref: 002141A2
                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 002145D0
                                • Part of subcall function 002141CF: std::exception::exception.LIBCONCRT ref: 002141DC
                              • std::regex_error::regex_error.LIBCPMT ref: 002145F0
                                • Part of subcall function 00214212: std::exception::exception.LIBCONCRT ref: 0021422A
                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00214610
                                • Part of subcall function 0021425B: std::exception::exception.LIBCONCRT ref: 00214268
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: std::exception::exception$std::invalid_argument::invalid_argument$ExceptionRaisestd::regex_error::regex_error
                              • String ID: bad function call
                              • API String ID: 2470674941-3612616537
                              • Opcode ID: f756ea7852748af1f09fb8bede580df4cd609f9f7bf2420e374ab5fb3cc69bb6
                              • Instruction ID: 0de71436d1d5301915bb0a09ebc0c25249160931cad9c5679a065b82fcdfe08d
                              • Opcode Fuzzy Hash: f756ea7852748af1f09fb8bede580df4cd609f9f7bf2420e374ab5fb3cc69bb6
                              • Instruction Fuzzy Hash: A1115275C2420CB7CB01FAE4DD47CCDB7BCAE24700F908460BA1892495EB70A7A9DED2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0020A750 Relevance: 10.6, APIs: 7, Instructions: 51COMMON
                              Download Yara Rule
                              APIs
                              • PathIsRelativeW.SHLWAPI(0030D194,00000000), ref: 0020A768
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0020A77E
                              • PathRemoveFileSpecW.SHLWAPI(?), ref: 0020A789
                              • PathAppendW.SHLWAPI(?,0030D194), ref: 0020A795
                              • PathFileExistsW.SHLWAPI(0030D194), ref: 0020A7A0
                              • PathIsDirectoryW.SHLWAPI(0030D194), ref: 0020A7AB
                              • LoadImageW.USER32 ref: 0020A7BF
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Path$File$AppendDirectoryExistsImageLoadModuleNameRelativeRemoveSpec
                              • String ID:
                              • API String ID: 1924643234-0
                              • Opcode ID: 868af56f4d91fa1f7c2f70e34017b1af2a2ed2dad37591f827e87d9747d04f33
                              • Instruction ID: d1d4ff5f06b023df0d69478493b2b19912d577262b132d8289d29d1d8c2bdd8c
                              • Opcode Fuzzy Hash: 868af56f4d91fa1f7c2f70e34017b1af2a2ed2dad37591f827e87d9747d04f33
                              • Instruction Fuzzy Hash: C10184B5604311AFDB20AF60EC4DBBF77ECEF58700F418819F44AC2191EA7495548B62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 001F1300 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 47windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 001F131A
                              • #410.COMCTL32(?,001F1550,00000000,00000000), ref: 001F1340
                              • SendMessageW.USER32(?,00001036,00000000,00010030), ref: 001F1353
                              • SendMessageW.USER32(?,00000127,00010001,00000000), ref: 001F1362
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: MessageSend$#410
                              • String ID: :@!$ItemsView
                              • API String ID: 147371132-4121140613
                              • Opcode ID: 20ac8f7b605aeab0c4349d571899e8db0a6ec6019ff5a03ce2050dfc9686912b
                              • Instruction ID: 0300a16ece46b637bac486e76688fd66c21c0244784af84c2830c049a922b054
                              • Opcode Fuzzy Hash: 20ac8f7b605aeab0c4349d571899e8db0a6ec6019ff5a03ce2050dfc9686912b
                              • Instruction Fuzzy Hash: 05F096B5B903247AF63217506C47FBA2A6C9799F90F110057F3047E0D1C6E538419BB9
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0021244E Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,002124C9,0021242C,00212993), ref: 00212465
                              • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0021247B
                              • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00212490
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: AddressProc$HandleModule
                              • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                              • API String ID: 667068680-1718035505
                              • Opcode ID: c5b12f08f8c57014ae19d5505bd6f3cd72e926c078b08af251613e9e388b85f0
                              • Instruction ID: db7fa77234649d144c9f4abab6948a11a7018f981c754a6e09fef09c822cdb51
                              • Opcode Fuzzy Hash: c5b12f08f8c57014ae19d5505bd6f3cd72e926c078b08af251613e9e388b85f0
                              • Instruction Fuzzy Hash: DCF02879A76A33DB4F314F782CA55E673D85B263413158039FD4DE2100D6B5CCF852A0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0024A564 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,23499D16,?,?,00000000,0026D8A8,000000FF,?,0024A4EB,0024A63A,?,0024A4BF,00000000), ref: 0024A599
                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0024A5AB
                              • FreeLibrary.KERNEL32(00000000,?,?,00000000,0026D8A8,000000FF,?,0024A4EB,0024A63A,?,0024A4BF,00000000), ref: 0024A5CD
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: AddressFreeHandleLibraryModuleProc
                              • String ID: CorExitProcess$mscoree.dll$7!
                              • API String ID: 4061214504-1306565484
                              • Opcode ID: f5ba4ff7ae3cc8a6bb5027f00270cb6535a8a14725c02db70af6e7e903a24bf5
                              • Instruction ID: 1ceb68fdafa2956ae541ff04e1fd55afae5e8bb2fa793e708360a829fb582026
                              • Opcode Fuzzy Hash: f5ba4ff7ae3cc8a6bb5027f00270cb6535a8a14725c02db70af6e7e903a24bf5
                              • Instruction Fuzzy Hash: 9701A235954619BFDF168F54DC09FAEBBB8FB05B10F058129E811A22E0DBB49A00CA90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0021C460 Relevance: 9.1, APIs: 6, Instructions: 94COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0021D92E: Replicator::operator[].LIBCMT ref: 0021D96B
                              • DName::operator=.LIBVCRUNTIME ref: 0021C50A
                                • Part of subcall function 0021C0A2: DName::operator+.LIBCMT ref: 0021C10D
                                • Part of subcall function 0021C0A2: DName::operator+.LIBCMT ref: 0021C3D7
                              • DName::operator+.LIBCMT ref: 0021C4C4
                              • DName::operator+.LIBCMT ref: 0021C4D0
                              • DName::DName.LIBVCRUNTIME ref: 0021C522
                              • DName::operator+.LIBCMT ref: 0021C531
                              • DName::operator+.LIBCMT ref: 0021C53D
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]
                              • String ID:
                              • API String ID: 955152517-0
                              • Opcode ID: 77df4ceb67360588c7c9715c7d6571b62122ed4c4b9b936987c51fdf86e1561e
                              • Instruction ID: 8f2258e610b1ea9d401a7fbbebb0a8223ab5ef3890bc5ce033d36166c628b6ef
                              • Opcode Fuzzy Hash: 77df4ceb67360588c7c9715c7d6571b62122ed4c4b9b936987c51fdf86e1561e
                              • Instruction Fuzzy Hash: 4A31B5B5A252049FCB14DF98C455AEEBBF9FFA8300F20405DE58BA7341E774AA94CB10
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00211289 Relevance: 9.1, APIs: 6, Instructions: 63filelibraryCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,00000000,00000000,?,00000000,00000000,?,00211507,?,00000000,00000000), ref: 002112AD
                              • CreateFileMappingW.KERNEL32(00000000,00000000,00000008,00000000,00000000,00000000,?,00211507,?,00000000,00000000,?,?,00000104,?), ref: 002112C1
                              • CloseHandle.KERNEL32(00000000,?,00211507,?,00000000,00000000,?,?,00000104,?), ref: 002112CA
                              • MapViewOfFile.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,00211507,?,00000000,00000000,?,?,00000104,?), ref: 002112DA
                              • CloseHandle.KERNEL32(00000000,?,00211507,?,00000000,00000000,?,?,00000104,?), ref: 002112E3
                              • LoadLibraryExW.KERNEL32(?,00000000,00000000,?,00000000,00000000,?,00211507,?,00000000,00000000,?,?,00000104,?), ref: 00211300
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: File$CloseCreateHandle$LibraryLoadMappingView
                              • String ID:
                              • API String ID: 1262414356-0
                              • Opcode ID: 03f5b685d044690d8472079b8f02c018443be267c19c3a3982953e10ddf63d9c
                              • Instruction ID: 70a225ceb10583f91aca9756d2ceeaee571fbc6fb7f9753c49572aa88aa3dc1b
                              • Opcode Fuzzy Hash: 03f5b685d044690d8472079b8f02c018443be267c19c3a3982953e10ddf63d9c
                              • Instruction Fuzzy Hash: B401B975920319BFF7201B646C8CFBB76DCDB50B96F054564FA15A20D0D6F08C619670
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 002026E0 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                              Download Yara Rule
                              APIs
                              • ShowWindow.USER32(?,00000000), ref: 002026E9
                              • ShowWindow.USER32(00000000,?,00000000), ref: 002026F3
                                • Part of subcall function 00207C40: DialogBoxIndirectParamW.USER32 ref: 00207C5A
                                • Part of subcall function 00207C40: LocalFree.KERNEL32(00000000), ref: 00207C67
                              • ShowWindow.USER32(00000001), ref: 00202715
                              • ShowWindow.USER32(?,00000001), ref: 0020271A
                              • CheckRadioButton.USER32 ref: 00202729
                              • CheckRadioButton.USER32 ref: 00202732
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: ShowWindow$ButtonCheckRadio$DialogFreeIndirectLocalParam
                              • String ID:
                              • API String ID: 468163734-0
                              • Opcode ID: 3d0cdbecb899b45be646d2e5efb10efcf0ef426361929118bc19f1eb655fac3d
                              • Instruction ID: c3b9e8f063fbc458c285f7dbd94adf7a54f59d70451369a475e3f2735d5db017
                              • Opcode Fuzzy Hash: 3d0cdbecb899b45be646d2e5efb10efcf0ef426361929118bc19f1eb655fac3d
                              • Instruction Fuzzy Hash: 0AF0F631FD43147AE7216B11AC0BF2FBF66EB51F10F10402BF606761E19AE224348D91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 002160C6 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: AdjustPointer
                              • String ID: 7!
                              • API String ID: 1740715915-945759478
                              • Opcode ID: 4616ba566bb671820f961151a4ab7f4b52bc675dc38d51d1bd676e5b6ed1eff2
                              • Instruction ID: 1bf69459aa07ea0ff2b63e5d0c929ed17f0d12e320a2e2ca9d6aaa5fda87cf7a
                              • Opcode Fuzzy Hash: 4616ba566bb671820f961151a4ab7f4b52bc675dc38d51d1bd676e5b6ed1eff2
                              • Instruction Fuzzy Hash: B651C172A20202BFDB259F14D949BEE73E5EF24710F144529EC0957292D771EDE1CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0021A594 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 131COMMON
                              Download Yara Rule
                              APIs
                              • DName::operator+.LIBCMT ref: 0021A5C7
                                • Part of subcall function 00217B0D: DName::operator+=.LIBCMT ref: 00217B23
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Name::operator+Name::operator+=
                              • String ID: i'
                              • API String ID: 382699925-4110741785
                              • Opcode ID: e379bf5c10c0eab6797985ca43f99293b5b682f46dc5310965364a12de9ddc2c
                              • Instruction ID: c1f5d9eeacd04b70dcbb052e6366359c8ba76fc26369e435fe2dd1ea4e88118b
                              • Opcode Fuzzy Hash: e379bf5c10c0eab6797985ca43f99293b5b682f46dc5310965364a12de9ddc2c
                              • Instruction Fuzzy Hash: 9E415B71D2620ADACF01DFA8C5999EEBBF9FB64304F10401AE506A7280D7749BE5CF91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0024C389 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameW.KERNEL32(00000000,00307EAA,00000104), ref: 0024C3E6
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: FileModuleName
                              • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                              • API String ID: 514040917-4022980321
                              • Opcode ID: 170b04bfdf4497f64b9baf55fd7dab59b89b846252685322da621d4b3de3738a
                              • Instruction ID: aae6f84ccda3b41e1990697efee232aafa13a9f9d633b5afc17de68b99b0a2ea
                              • Opcode Fuzzy Hash: 170b04bfdf4497f64b9baf55fd7dab59b89b846252685322da621d4b3de3738a
                              • Instruction Fuzzy Hash: BC219B32AB331272E7292E39AD1AEB7368C8B92B10F104071FC0C92191F671DE75C4A5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00214EE3 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 63COMMON
                              Download Yara Rule
                              APIs
                              • __is_exception_typeof.LIBVCRUNTIME ref: 00214F77
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: __is_exception_typeof
                              • String ID: MOC$RCC$csm$lU'
                              • API String ID: 3140442014-69757476
                              • Opcode ID: dd641023240314a294679a3a887fe0b718c4bd493dd1c357ec9dcfe1b4d6e53d
                              • Instruction ID: 4ba3e98f7cc6276c4c7b3eb3804a950d90eb75fadf382c89d19ac194efa9743d
                              • Opcode Fuzzy Hash: dd641023240314a294679a3a887fe0b718c4bd493dd1c357ec9dcfe1b4d6e53d
                              • Instruction Fuzzy Hash: 27119331534216DFDB18AF58D401AD5B7E8EFA4351F1600A9F8048B661D774EDE2CB91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 002061B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59stringCOMMON
                              Download Yara Rule
                              APIs
                              • PathFindExtensionW.SHLWAPI(?,.lnk,00000000,-00000001), ref: 002061E2
                              • lstrcmpiW.KERNEL32(00000000), ref: 002061E9
                                • Part of subcall function 00206080: CoCreateInstance.OLE32(0027378C,00000000,00000001,0026FD7C,?,0000C356,?), ref: 002060AF
                                • Part of subcall function 00206080: lstrcpyW.KERNEL32 ref: 002060DB
                                • Part of subcall function 00206080: ExpandEnvironmentStringsW.KERNEL32(?,?,00000138), ref: 00206152
                                • Part of subcall function 00206080: lstrcpynW.KERNEL32(?,?,?), ref: 0020616C
                              • PathIsDirectoryW.SHLWAPI(?), ref: 00206229
                              • lstrcpynW.KERNEL32(?,?,?), ref: 00206240
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Pathlstrcpyn$CreateDirectoryEnvironmentExpandExtensionFindInstanceStringslstrcmpilstrcpy
                              • String ID: .lnk
                              • API String ID: 403286655-24824748
                              • Opcode ID: 0ecc5efe17724faf4a15603f391273de8445d94f486db590fa201eb0e80d2ec4
                              • Instruction ID: eabfa1f5656ba3961d1abdb443afbf6a49ab200acee811198e05ec6303a45c07
                              • Opcode Fuzzy Hash: 0ecc5efe17724faf4a15603f391273de8445d94f486db590fa201eb0e80d2ec4
                              • Instruction Fuzzy Hash: 1A11E7B56143019FDB209F24EC0D7EE73D8AF94700F448829F945C62D1EAB4CD798792
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00210F26 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 59registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383},00000000,00000001,?), ref: 00210F5E
                              • RegQueryValueExW.ADVAPI32(?,Locale,00000000,00000000,?,00000006), ref: 00210F7B
                              • RegCloseKey.ADVAPI32(?), ref: 00210F86
                              Strings
                              • Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}, xrefs: 00210F54
                              • Locale, xrefs: 00210F73
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: CloseOpenQueryValue
                              • String ID: Locale$Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
                              • API String ID: 3677997916-1161606707
                              • Opcode ID: cda955274d7fa61d2b9a38d0b639dce48fba65e37673508cd5e6619be1239398
                              • Instruction ID: a9913443298c0ff6ca4aea5fc35601be9c1ee4a4b9a40031724d24f87b131dd4
                              • Opcode Fuzzy Hash: cda955274d7fa61d2b9a38d0b639dce48fba65e37673508cd5e6619be1239398
                              • Instruction Fuzzy Hash: D211CA7D915109A6CF21DF95EC4EEEF77BCFB55700F010415F802A3160E6B09996D760
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0020D165 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53stringwindowCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcmpW.KERNEL32(0030D39C,*.*), ref: 0020D16F
                              • lstrcpyW.KERNEL32 ref: 0020D18F
                              • SendMessageW.USER32(?,00000111,00019D0D,00000000), ref: 0020D1E1
                              • SendMessageW.USER32(00001013,00000000,00000000,00000000), ref: 0020D215
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: MessageSend$lstrcmplstrcpy
                              • String ID: *.*
                              • API String ID: 183746767-438819550
                              • Opcode ID: da47ef9f46a38d4343e81638905d823a79a7e15bd4868b75d17973afce7a4588
                              • Instruction ID: ed660f5ce1d0e6ad98b0d4512239dde237b4215ffc20c08a216cc6ebcdd329e5
                              • Opcode Fuzzy Hash: da47ef9f46a38d4343e81638905d823a79a7e15bd4868b75d17973afce7a4588
                              • Instruction Fuzzy Hash: A41125B5255341EBE730AF60FC16BEBB2A8AB90314F00842AF64D561D3DAB19464CB63
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00204770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0020478A
                              • SendMessageW.USER32 ref: 002047B9
                              • StrRetToBufW.SHLWAPI(?,?,?,00000040), ref: 002047E8
                              • PathRemoveBackslashW.SHLWAPI ref: 002047EF
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: MessageSend$BackslashPathRemove
                              • String ID:
                              • API String ID: 1132864304-3916222277
                              • Opcode ID: 7be0d898e891b9b040c2c0a8e4c266b1a13e994bd78e64cd6437fca9bd775c1e
                              • Instruction ID: 7adde77416d94b4c40422d60c663bd0a5dfc137744a8a1dc1f562f2a2430a6c1
                              • Opcode Fuzzy Hash: 7be0d898e891b9b040c2c0a8e4c266b1a13e994bd78e64cd6437fca9bd775c1e
                              • Instruction Fuzzy Hash: 20014075200300AFE710DB69EC49FAB77B8ABC9724F408519F258D72E0D7B5E5058AA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00253211 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,002531CA), ref: 00253220
                              • GetLastError.KERNEL32(?,002531CA), ref: 0025322A
                              • LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 00253268
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: LibraryLoad$ErrorLast
                              • String ID: api-ms-$ext-ms-
                              • API String ID: 3177248105-537541572
                              • Opcode ID: 7d13d7141f3415d005a1a44c8cfe888ea06c847df05de4f1881e80ac7e6980e2
                              • Instruction ID: d5d5231e2cdbcdc73d0dd304dd40f8c4a774087b7bb7b59f4a72b50091aa026d
                              • Opcode Fuzzy Hash: 7d13d7141f3415d005a1a44c8cfe888ea06c847df05de4f1881e80ac7e6980e2
                              • Instruction Fuzzy Hash: 58F01C30694705B6EF211F61EC0FB593A59BB41B81F158020FD4CE80E1FBB2EE79994A
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00212E16 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                              Download Yara Rule
                              APIs
                              • SleepConditionVariableCS.KERNELBASE(?,00212D9B,00000064), ref: 00212E39
                              • LeaveCriticalSection.KERNEL32(003076F4,?,?,00212D9B,00000064), ref: 00212E43
                              • WaitForSingleObjectEx.KERNEL32(?,00000000,?,00212D9B,00000064), ref: 00212E54
                              • EnterCriticalSection.KERNEL32(003076F4,?,00212D9B,00000064), ref: 00212E5B
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                              • String ID: 7!
                              • API String ID: 3269011525-945759478
                              • Opcode ID: 36936f7f68962c6f8704602a8c315bcdbfbd91a227c81b5479b9f24cb7d373af
                              • Instruction ID: 616d12a3a33c35200b1dc35fc39e5adfe2d644c8302e907eefb8c55ae79c4e5a
                              • Opcode Fuzzy Hash: 36936f7f68962c6f8704602a8c315bcdbfbd91a227c81b5479b9f24cb7d373af
                              • Instruction Fuzzy Hash: B1E01235956528F7CE031F55FC1CADA3F1CEB15B51F014051F90A662A0CAE268518BE5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 002051D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryW.KERNEL32(uxtheme.dll), ref: 002051D9
                              • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 002051EB
                              • FreeLibrary.KERNEL32(00000000), ref: 002051FA
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Library$AddressFreeLoadProc
                              • String ID: IsAppThemed$uxtheme.dll
                              • API String ID: 145871493-2993874081
                              • Opcode ID: a8783db6dff096010998f11ce593296c2d6ea5a49f256275c3fc262356c65752
                              • Instruction ID: 608679e15ebf22a99fe39d0adafeedc48459b10e2097880a50ce0168766654e6
                              • Opcode Fuzzy Hash: a8783db6dff096010998f11ce593296c2d6ea5a49f256275c3fc262356c65752
                              • Instruction Fuzzy Hash: BDD05B353107215B5B21176D7C4CE6BA6689FC7F5131B4154FC08D2152DBB08C519571
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00252821 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                              Download Yara Rule
                              APIs
                              • __alloca_probe_16.LIBCMT ref: 002528A8
                              • __alloca_probe_16.LIBCMT ref: 00252969
                              • __freea.LIBCMT ref: 002529D0
                                • Part of subcall function 00250133: RtlAllocateHeap.NTDLL(00000000,?,?,?,00212C1A,?,?,001F102A,00000024,23499D16,?,?,0026D1AF,000000FF), ref: 00250165
                              • __freea.LIBCMT ref: 002529E5
                              • __freea.LIBCMT ref: 002529F5
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: __freea$__alloca_probe_16$AllocateHeap
                              • String ID:
                              • API String ID: 1423051803-0
                              • Opcode ID: d2a11ed768c0a82aba37383df608495f3dd8a3e9be9c81bb5f5ea19d5690ba02
                              • Instruction ID: 9806961b585dafa64f13ab6b89adf0d3d12061dce20ba373ea98a512e0aa10cb
                              • Opcode Fuzzy Hash: d2a11ed768c0a82aba37383df608495f3dd8a3e9be9c81bb5f5ea19d5690ba02
                              • Instruction Fuzzy Hash: 8D51B3B2620117EBEB259E64CC85EBB76A9EF06352F250129FD04D6280E770DC6CD768
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 001F3190 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 65COMMON
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,true,true,?,00000040), ref: 001F31F6
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: ByteCharMultiWide
                              • String ID: Settings$ShowDriveBox$false$true
                              • API String ID: 626452242-921498056
                              • Opcode ID: bfbc50d913bfe5d9105c071b91f40163fdf5110a5145bd3d260343efc269986c
                              • Instruction ID: 6f25e15668b00be1dc82817bc2e68aa0a29f69888289159685d424f52cc224c1
                              • Opcode Fuzzy Hash: bfbc50d913bfe5d9105c071b91f40163fdf5110a5145bd3d260343efc269986c
                              • Instruction Fuzzy Hash: 211123757142005BE730DB28DC16BBA73E9EBDA700F448429FA5AC7180DE74C908C7A2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00205060 Relevance: 7.6, APIs: 5, Instructions: 53memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • LocalAlloc.KERNEL32(00000040,?,00000000,74D0F6F0,7490BB20,?,0020F281,?,00000100,00002712,?), ref: 0020506E
                              • LoadStringW.USER32(?,00000000,?), ref: 00205087
                              • LoadStringW.USER32(?,00000000,?), ref: 0020509E
                              • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 002050C2
                              • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 002050C9
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: LoadLocalString$AllocFreelstrlen
                              • String ID:
                              • API String ID: 389633860-0
                              • Opcode ID: 5c27421ba8b9c22ebcd1a3eef4d21e8f3cd91ec34581b1cec25aacc396c6d5e6
                              • Instruction ID: 9a5267c47b4e75bb6f83bc92cd71e9464c5b0834e6f179e5c2e5d8023b000772
                              • Opcode Fuzzy Hash: 5c27421ba8b9c22ebcd1a3eef4d21e8f3cd91ec34581b1cec25aacc396c6d5e6
                              • Instruction Fuzzy Hash: F6018475201216AFCB209F65FC4CD6B7B6DEFC6366B014426F505C2121EB72D815DBB1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00206380 Relevance: 7.6, APIs: 5, Instructions: 53stringCOMMON
                              Download Yara Rule
                              APIs
                              • CharNextW.USER32(?,?,74CF8250,?,001FF938), ref: 002063A1
                              • lstrlenW.KERNEL32(?,?,74CF8250,?,001FF938), ref: 002063B2
                              • lstrlenW.KERNEL32(?,?,?,001FF938), ref: 002063C7
                              • CharPrevW.USER32(?,00000000,?,?,001FF938), ref: 002063D4
                              • CharPrevW.USER32(?,00000000,?,?,001FF938), ref: 002063E7
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Char$Prevlstrlen$Next
                              • String ID:
                              • API String ID: 2482157412-0
                              • Opcode ID: 116878f69e81f0c282e27a803ac46c1928e3c3634a305898a5b025bf0dbfed48
                              • Instruction ID: 065045982a52599ce8b71fa793afc6e73941fb85ace45f0d1bdfb46890ce8116
                              • Opcode Fuzzy Hash: 116878f69e81f0c282e27a803ac46c1928e3c3634a305898a5b025bf0dbfed48
                              • Instruction Fuzzy Hash: F901D4668203265BCB205F68ACC897A67ACEB89710B0504A6E401D7092EBB18C71C7E0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00205160 Relevance: 7.5, APIs: 5, Instructions: 33threadCOMMON
                              Download Yara Rule
                              APIs
                              • GetWindowThreadProcessId.USER32(?,?), ref: 00205175
                              • OpenProcess.KERNEL32(00000410,00000000,?,?,?), ref: 00205186
                              • EnumProcessModules.PSAPI(00000000,?,00000004,00000000,?,?), ref: 0020519B
                              • GetModuleFileNameExW.PSAPI(00000000,?,?,00000100,?,?), ref: 002051AC
                              • CloseHandle.KERNEL32(00000000,?,00000100,?,?), ref: 002051B3
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Process$CloseEnumFileHandleModuleModulesNameOpenThreadWindow
                              • String ID:
                              • API String ID: 1339411102-0
                              • Opcode ID: 222784af27502b9d55dea84946f76b17a2ba6955672fcb21b092c821c284466c
                              • Instruction ID: 9387ba98490cd5b15c52020b6c2e0c5b06cac5a733369d40b7ab4199ff8bc119
                              • Opcode Fuzzy Hash: 222784af27502b9d55dea84946f76b17a2ba6955672fcb21b092c821c284466c
                              • Instruction Fuzzy Hash: FEF05E7A004210BBE711AB54FC0CFDB7FACEF89750F018829FA45C1160D7B495498BAA
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00206820 Relevance: 7.5, APIs: 5, Instructions: 31stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Global$AllocLockUnlocklstrcpylstrlen
                              • String ID:
                              • API String ID: 270455586-0
                              • Opcode ID: 76516e999e1cfbf65ddda64f5c144d4f024832123fc3304b27af44a8e7c90ff9
                              • Instruction ID: a5cac01ae8c8366420a9601460b1c5453649589801d4a296e3edb1ca9c347de4
                              • Opcode Fuzzy Hash: 76516e999e1cfbf65ddda64f5c144d4f024832123fc3304b27af44a8e7c90ff9
                              • Instruction Fuzzy Hash: 3FF05EB55012119FEB015F15FC0CB9A7BA8EB82715F07C094E4049B2B1DBFAC849CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0021A428 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • DName::DName.LIBVCRUNTIME ref: 0021A450
                              • DName::operator+.LIBCMT ref: 0021A49B
                                • Part of subcall function 002177BE: __aulldvrm.LIBCMT ref: 002177EF
                              • DName::DName.LIBVCRUNTIME ref: 0021A506
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: NameName::$Name::operator+__aulldvrm
                              • String ID: \f'
                              • API String ID: 4069495278-206206860
                              • Opcode ID: 45e74f20a0e078aaf32ae2ed4de2ced8089d6fdb24ffa8faadb0d7f7d3ddcd43
                              • Instruction ID: 1c78ebaa4e894bac8e0bfe7f99be2657be36a46f51b6b183ca8f68c0eff2f19f
                              • Opcode Fuzzy Hash: 45e74f20a0e078aaf32ae2ed4de2ced8089d6fdb24ffa8faadb0d7f7d3ddcd43
                              • Instruction Fuzzy Hash: 1C31E03092A104AACB08DF64C895AFDBBF9FF69310F544049E003672D1DBB46ED5CB52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0021CF33 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • UnDecorator::getSignedDimension.LIBCMT ref: 0021CF84
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Decorator::getDimensionSigned
                              • String ID: 7!
                              • API String ID: 2996861206-945759478
                              • Opcode ID: 2ee37d6a76a07f12ba816e915e26786805ecd5f084c0e12be18765062eea2d3e
                              • Instruction ID: 8f37144a3fca621eae09c9ccabf25ab2a6254cccbceee21fdc572d7ab9afc1c6
                              • Opcode Fuzzy Hash: 2ee37d6a76a07f12ba816e915e26786805ecd5f084c0e12be18765062eea2d3e
                              • Instruction Fuzzy Hash: 32319471E18209AFDF05DFA4D855BEFB7F8AB18300F20402AE102B2190DB746A99CB65
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 001F26C0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 79fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00308DE8,80000000,00000003,00000000,00000003,00000080,00000000), ref: 001F2703
                              • LockFileEx.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?), ref: 001F271A
                              Strings
                              • AcquireReadFileLock(%s): INVALID FILE HANDLE!, xrefs: 001F2753
                              • AcquireReadFileLock(%s): NO READER LOCK ACQUIRED!, xrefs: 001F273A
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: File$CreateLock
                              • String ID: AcquireReadFileLock(%s): INVALID FILE HANDLE!$AcquireReadFileLock(%s): NO READER LOCK ACQUIRED!
                              • API String ID: 3593386577-1051419391
                              • Opcode ID: 1306fcd109ba0423b0efce6597460eecb23b8c309c14a211d426b15b0d25fac7
                              • Instruction ID: fec9cd9d05ecebef9df71daf34fa8a98ebcc91caf432bb94e6af2ae7c5bf80a8
                              • Opcode Fuzzy Hash: 1306fcd109ba0423b0efce6597460eecb23b8c309c14a211d426b15b0d25fac7
                              • Instruction Fuzzy Hash: 1A213631795314B3E230AB34EC57FAB37DCABA1B20F500725F665A60C0DBB4A6588295
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0021A74F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: NameName::Name::operator+shared_ptr
                              • String ID: Dh'
                              • API String ID: 3919194733-2164041930
                              • Opcode ID: 1f008be3dc99d642f6bc44ea3bfbe355b71f3bc4eca1d410f397522dee36fe9e
                              • Instruction ID: 516575d822f32af43f44e79e39b7f53adee8bbe4bf42c0fdc21a21379f594aa7
                              • Opcode Fuzzy Hash: 1f008be3dc99d642f6bc44ea3bfbe355b71f3bc4eca1d410f397522dee36fe9e
                              • Instruction Fuzzy Hash: 04312BB09252099FCB05CFA8D8586EEBBF4FB11304F148149E512A7391D7749B9ACF42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 002042D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcmpW.KERNEL32(?,*.*), ref: 00204339
                              • StrChrW.SHLWAPI(?,0000003B,?,*.*), ref: 0020435B
                              • StrChrW.SHLWAPI(?,0000003B,?,*.*), ref: 0020437D
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: lstrcmp
                              • String ID: *.*
                              • API String ID: 1534048567-438819550
                              • Opcode ID: 8792089f8a09308ea69a7fcd9e459547b23816b590f6eb4cc16f3d76e786377e
                              • Instruction ID: e899ab4ef28d7dd730e1cf461316f5844f83bf606a15714928a66c644e4f061a
                              • Opcode Fuzzy Hash: 8792089f8a09308ea69a7fcd9e459547b23816b590f6eb4cc16f3d76e786377e
                              • Instruction Fuzzy Hash: CD21D5B52117029BD725AF24DC447A7F3E8EF81710F14C5AEEA4687681EB72A921CB10
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00210130 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53stringwindowCOMMON
                              Download Yara Rule
                              APIs
                              • LoadImageW.USER32 ref: 00210164
                              • lstrcpyW.KERNEL32 ref: 002101B8
                              • Shell_NotifyIconW.SHELL32(00000002,000003BC), ref: 002101D0
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: IconImageLoadNotifyShell_lstrcpy
                              • String ID: MiniPath
                              • API String ID: 2060738540-3848962392
                              • Opcode ID: 16a94a20022bc68a7462768078e162e446313e748fbea39efb97e1b563a9cf77
                              • Instruction ID: 55710d172ec419c0b0911d00d12dbc8cc0269112405bbbfe000fa98ba3318ec1
                              • Opcode Fuzzy Hash: 16a94a20022bc68a7462768078e162e446313e748fbea39efb97e1b563a9cf77
                              • Instruction Fuzzy Hash: D911C674614310AFE321CF04EC49B9BBBECEB98714F40441EF588A7290D3F49A948F92
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 001F2640 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000004,00000080,00000000), ref: 001F2664
                              • LockFileEx.KERNEL32(00000000,00000002,00000000,000000FF,00000000,?,?,C0000000,00000003,00000000,00000004,00000080,00000000), ref: 001F267B
                                • Part of subcall function 00202F30: GetLastError.KERNEL32(?,00000000,?,?,001F2773), ref: 00202F39
                                • Part of subcall function 00202F30: FormatMessageW.KERNEL32 ref: 00202F63
                                • Part of subcall function 00202F30: lstrlenW.KERNEL32(00000000,00000000,00308DE8), ref: 00202F7A
                                • Part of subcall function 00202F30: lstrlenW.KERNEL32(00000000), ref: 00202F82
                                • Part of subcall function 00202F30: LocalAlloc.KERNEL32(00000040,00000000), ref: 00202F92
                                • Part of subcall function 00202F30: GetFocus.USER32(00000000,00000000,?,?,00000000,00000000,?,?,001F2773), ref: 00202FBF
                                • Part of subcall function 00202F30: MessageBoxExW.USER32 ref: 00202FDA
                                • Part of subcall function 00202F30: LocalFree.KERNEL32(00000000,?,?,001F2773), ref: 00202FE1
                                • Part of subcall function 00202F30: LocalFree.KERNEL32(?), ref: 00202FE7
                              Strings
                              • AcquireWriteFileLock(): NO EXCLUSIVE LOCK ACQUIRED!, xrefs: 001F268A
                              • AcquireWriteFileLock(): INVALID FILE HANDLE!, xrefs: 001F26A0
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Local$FileFreeMessagelstrlen$AllocCreateErrorFocusFormatLastLock
                              • String ID: AcquireWriteFileLock(): INVALID FILE HANDLE!$AcquireWriteFileLock(): NO EXCLUSIVE LOCK ACQUIRED!
                              • API String ID: 434643049-250906885
                              • Opcode ID: e8bbf8e9ef6e07c0ab5b78b230ded79272d17403e605e18346ca98421f0cdb50
                              • Instruction ID: 508502f47fe45af7aea2b42353517e3acd50bc4dada7291babfbc72b8e7b4359
                              • Opcode Fuzzy Hash: e8bbf8e9ef6e07c0ab5b78b230ded79272d17403e605e18346ca98421f0cdb50
                              • Instruction Fuzzy Hash: 83F0F6313A521272E634253D7C5DF5A62989F82BF5F398336FB74EA0E4CBE09C460168
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00213353 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                              Download Yara Rule
                              APIs
                              • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0021335E
                              • ___raise_securityfailure.LIBCMT ref: 0021341B
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: FeaturePresentProcessor___raise_securityfailure
                              • String ID: "/ $8w0
                              • API String ID: 3761405300-2985966832
                              • Opcode ID: b83d4047cf5c7459ca619ad34bf8af23a59fd94c0f5c2807f8af071c4d3744e8
                              • Instruction ID: 96b07966daae0b65fc7d29f578ad4bf14683f48834ae2d49d6bab25abd619494
                              • Opcode Fuzzy Hash: b83d4047cf5c7459ca619ad34bf8af23a59fd94c0f5c2807f8af071c4d3744e8
                              • Instruction Fuzzy Hash: AB1193B4D1A204DBD712DF19ECAA6547BECFB08750F00E16BE80887760E3B06581CF99
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 002040C0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33stringCOMMON
                              Download Yara Rule
                              APIs
                              • GetPropW.USER32(DirListData), ref: 002040E2
                              • SHGetPathFromIDListW.SHELL32(?,?), ref: 002040F0
                              • lstrcpyW.KERNEL32 ref: 00204100
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: FromListPathProplstrcpy
                              • String ID: DirListData
                              • API String ID: 1236027899-869039069
                              • Opcode ID: e04cd7524a10532b0b7c20bacbe82efc8d620dee6689bc4d4ca10330fd2c9b5c
                              • Instruction ID: d912743ac4341dcf16155a03f37865eb62759f5a44b3632e6f9d8b69c4e2d3a4
                              • Opcode Fuzzy Hash: e04cd7524a10532b0b7c20bacbe82efc8d620dee6689bc4d4ca10330fd2c9b5c
                              • Instruction Fuzzy Hash: B3F0F6B41103009FD720EF20EC0EBBE77E4EB58300F818119F81D821A1EA748964DB52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0021E436 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,0021E333,00000000,?,00307AA8,?,?,?,0021E58A,00000004,InitializeCriticalSectionEx,00276CDC,InitializeCriticalSectionEx), ref: 0021E443
                              • GetLastError.KERNEL32(?,0021E333,00000000,?,00307AA8,?,?,?,0021E58A,00000004,InitializeCriticalSectionEx,00276CDC,InitializeCriticalSectionEx,00000000,?,00217052), ref: 0021E44D
                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0021E475
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: LibraryLoad$ErrorLast
                              • String ID: api-ms-
                              • API String ID: 3177248105-2084034818
                              • Opcode ID: b17c0e549be7de6c1202a6275aca0fbf15227655bd1f937163cfc95f5f26f7af
                              • Instruction ID: 6f5492a1ee74443cfe99b0c732cc1b3b9a337ce4469a4162567cfbfff8e5aa33
                              • Opcode Fuzzy Hash: b17c0e549be7de6c1202a6275aca0fbf15227655bd1f937163cfc95f5f26f7af
                              • Instruction Fuzzy Hash: B7E012317A4205B6EF111F60FC0BB583AA9AB11B40F158420F98CA80E0E7B298609985
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00204A10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: FreeTask$MessageSend
                              • String ID:
                              • API String ID: 1000612462-3916222277
                              • Opcode ID: e9e4f6298c9655ed09b486b67aa6a101de362ffe3fb82d0939e64fc4e694fb71
                              • Instruction ID: 4094f2faa5114a6a9365a6e8a091acdd8384e8d5ea01608a83912cfc5e01c847
                              • Opcode Fuzzy Hash: e9e4f6298c9655ed09b486b67aa6a101de362ffe3fb82d0939e64fc4e694fb71
                              • Instruction Fuzzy Hash: E6F01579604200AFE704DF58ED88B5ABBF8FB8C700F008019F64997260C771E895CB52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00203230 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON
                              Download Yara Rule
                              APIs
                              • GetPropW.USER32(00000000,DirListData), ref: 0020323A
                                • Part of subcall function 00203280: GetPropW.USER32(?,DirListData), ref: 0020328A
                                • Part of subcall function 00203280: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,00203420,?,?), ref: 00203298
                                • Part of subcall function 00203280: WaitForSingleObject.KERNEL32(?,00000000,?,?,?,?,?,?,?,00203420,?,?), ref: 002032A6
                                • Part of subcall function 00203280: PeekMessageW.USER32 ref: 002032D2
                                • Part of subcall function 00203280: TranslateMessage.USER32(?), ref: 002032DD
                                • Part of subcall function 00203280: DispatchMessageW.USER32 ref: 002032E4
                                • Part of subcall function 00203280: WaitForSingleObject.KERNEL32(?,00000000,?,?,?,?,?,?,?,00203420,?,?), ref: 002032EE
                                • Part of subcall function 00203280: ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,00203420,?,?), ref: 00203301
                                • Part of subcall function 00203280: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,00203420,?,?), ref: 0020330D
                              • ResetEvent.KERNEL32(?), ref: 00203255
                              • ResetEvent.KERNEL32(?), ref: 0020325D
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Event$MessageReset$ObjectPropSingleWait$DispatchPeekTranslate
                              • String ID: DirListData
                              • API String ID: 628585283-869039069
                              • Opcode ID: 5e6a401ad763ce2df7071a815214b7f7754d824fe42f51504f634aabac4c54bc
                              • Instruction ID: 462fa7c4aec796d68a4394f60663496ca69918515fbaac0a68b1ed42717f7ab0
                              • Opcode Fuzzy Hash: 5e6a401ad763ce2df7071a815214b7f7754d824fe42f51504f634aabac4c54bc
                              • Instruction Fuzzy Hash: 4FE08C36A5022037DF242326BC0EF8A7E68DF86731F064166F408572A09AF02D628DE4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00208380 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17COMMON
                              Download Yara Rule
                              APIs
                              • SetBkColor.GDI32(?,00333333), ref: 0020838E
                              • GetSysColor.USER32(0000000F), ref: 00208398
                              • SetBkColor.GDI32(?,00000000), ref: 002083A0
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Color
                              • String ID: 333
                              • API String ID: 2811717613-2463598333
                              • Opcode ID: 0a8497768f7357c8206f5d6b4bea6b2387e19a89b984a03bf99b5d30e633d44b
                              • Instruction ID: d401ad399477218240a2a506f1885c14192a1248d5fd84fa8284395257f2d361
                              • Opcode Fuzzy Hash: 0a8497768f7357c8206f5d6b4bea6b2387e19a89b984a03bf99b5d30e633d44b
                              • Instruction Fuzzy Hash: A7D0C939101522EBEB512718BD0C9EE261DEF95632B0EC465F945A1054DFD80D4146F2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0021A1D4 Relevance: 6.2, APIs: 4, Instructions: 192COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 0021A1DB
                              • UnDecorator::getSymbolName.LIBCMT ref: 0021A26D
                              • DName::operator+.LIBCMT ref: 0021A371
                              • DName::DName.LIBVCRUNTIME ref: 0021A414
                                • Part of subcall function 00217B49: shared_ptr.LIBCMT ref: 00217B65
                                • Part of subcall function 00217DE3: DName::DName.LIBVCRUNTIME ref: 00217E41
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Name$Name::$Decorator::getH_prolog3Name::operator+Symbolshared_ptr
                              • String ID:
                              • API String ID: 1134295639-0
                              • Opcode ID: 0aea83f6eae81afd1b3b96e7c5a99c7c53af07ba6ae464b8c3a4fce598e86fc2
                              • Instruction ID: 03d45a8b7d3a09b798c93245b14d0e98f465ce23e024daf0e3163b6bfaf7fcd7
                              • Opcode Fuzzy Hash: 0aea83f6eae81afd1b3b96e7c5a99c7c53af07ba6ae464b8c3a4fce598e86fc2
                              • Instruction Fuzzy Hash: 8671AF71D2621A8FDB01CF94D895BEEBBF8FB18310F14406AE812AB241D775AE94CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00256C74 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4d9aaac3d82e0b93b221395fe860328737b563eae3752678618d2563e646c137
                              • Instruction ID: 703bdba7bc6a35fda58e9384036cdddeae60c37f3da085fd994bff08ff2d8a88
                              • Opcode Fuzzy Hash: 4d9aaac3d82e0b93b221395fe860328737b563eae3752678618d2563e646c137
                              • Instruction Fuzzy Hash: 8B21FD31731206AFDB20AF60DC8996BB7B8EF403667818D25FC1997211DB30EC348BA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00208060 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                              Download Yara Rule
                              APIs
                              • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003), ref: 002080CE
                              • VerSetConditionMask.KERNEL32(00000000), ref: 002080D2
                              • VerSetConditionMask.KERNEL32(00000000), ref: 002080D6
                              • VerifyVersionInfoW.KERNEL32(?,00000023,00000000), ref: 002080F9
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: ConditionMask$InfoVerifyVersion
                              • String ID:
                              • API String ID: 2793162063-0
                              • Opcode ID: ce3f919789d9d10cf66a0f6798b05555dba04ce3b03d542e8462efea8ce5b648
                              • Instruction ID: 9c37c7f825704ddf95e9f6fe2dd1c5589896e6e6a2fdc1b8fa14246a4ce3cc1e
                              • Opcode Fuzzy Hash: ce3f919789d9d10cf66a0f6798b05555dba04ce3b03d542e8462efea8ce5b648
                              • Instruction Fuzzy Hash: DF115AB0658310AFE730DF25EC5AFAB7BE8EF98B10F00081DB588D72C0D6745A148B66
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00206B80 Relevance: 6.1, APIs: 4, Instructions: 59stringCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: FreeLocal$lstrcmpi
                              • String ID:
                              • API String ID: 4076108973-0
                              • Opcode ID: 508ed435babc2b31993264ce50d77529514d47f92a2be19a2c84b023b366120a
                              • Instruction ID: e2ad670824497a8a6e9febc473f72d2ef35bd22b7723d5b529a0b4218804a43b
                              • Opcode Fuzzy Hash: 508ed435babc2b31993264ce50d77529514d47f92a2be19a2c84b023b366120a
                              • Instruction Fuzzy Hash: E611C2B97227199BEB214F28BCACE5633FCAB15318B090413E540E32A1D372D8B1DA12
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 001F6FF0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 56COMMON
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,true,true,?,00000040,?,00000000), ref: 001F7053
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: ByteCharMultiWide
                              • String ID: Settings$false$true
                              • API String ID: 626452242-540067373
                              • Opcode ID: 4573049fa07358f196b42a23d593fcd33b2d5151e9d786e3114b7918b0cd5365
                              • Instruction ID: b1e547a70045fbbb1187af28a571e7945d7261ce36b313b91feced77df930b26
                              • Opcode Fuzzy Hash: 4573049fa07358f196b42a23d593fcd33b2d5151e9d786e3114b7918b0cd5365
                              • Instruction Fuzzy Hash: 51012B727182506BE724CE289C55FB7B7EA9FC6700F048429B68EC71C0DE7088088762
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 002050E0 Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: LoadLocalString$AllocFree
                              • String ID:
                              • API String ID: 1922530790-0
                              • Opcode ID: 9bcbdc5b6f94ce23efe453a1a3ffcff871818c45d0e924a523513bf939da2161
                              • Instruction ID: f08dc6d568b092d2b5314eefa9401d4e8142d7c04c0901a7371cb915350b90ab
                              • Opcode Fuzzy Hash: 9bcbdc5b6f94ce23efe453a1a3ffcff871818c45d0e924a523513bf939da2161
                              • Instruction Fuzzy Hash: 9901D4762002567FD7218F25AC88F27BFACEB86795F110069F948D3251EA31DC118A31
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00208120 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                              Download Yara Rule
                              APIs
                              • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,00000000), ref: 00208186
                              • VerSetConditionMask.KERNEL32(00000000), ref: 0020818A
                              • VerSetConditionMask.KERNEL32(00000000), ref: 0020818E
                              • VerifyVersionInfoW.KERNEL32(00000023), ref: 002081B3
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: ConditionMask$InfoVerifyVersion
                              • String ID:
                              • API String ID: 2793162063-0
                              • Opcode ID: 4553449dd22b7339c8dcba8a3e09e3de492a45fa44115102b3203d086827ed59
                              • Instruction ID: 2e5abbc554151deb7ac05724f7bf4871c1fac85951c48f16bc42c75c8ef82f17
                              • Opcode Fuzzy Hash: 4553449dd22b7339c8dcba8a3e09e3de492a45fa44115102b3203d086827ed59
                              • Instruction Fuzzy Hash: EE1125B0654304AEE760DF24DC4AFEB7AE8EF84710F40481DB588D61C0D6B496588B96
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 002081E0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                              Download Yara Rule
                              APIs
                              • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,00000000), ref: 00208246
                              • VerSetConditionMask.KERNEL32(00000000), ref: 0020824A
                              • VerSetConditionMask.KERNEL32(00000000), ref: 0020824E
                              • VerifyVersionInfoW.KERNEL32(00000023), ref: 00208273
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: ConditionMask$InfoVerifyVersion
                              • String ID:
                              • API String ID: 2793162063-0
                              • Opcode ID: 8191aea4b0510682f861aa3a5d252560a593b53c337ff972a9870cbd4a7db3e7
                              • Instruction ID: af715a7137c0a2a70b624cd1660adea8133e015ea60b3aeeccf9a1aee805f833
                              • Opcode Fuzzy Hash: 8191aea4b0510682f861aa3a5d252560a593b53c337ff972a9870cbd4a7db3e7
                              • Instruction Fuzzy Hash: 231148B0654304AEE770DF24DC0AFEB7BE8EF84710F40481DB588D71C0D6B496588B96
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 002082A0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                              Download Yara Rule
                              APIs
                              • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,00000000), ref: 00208306
                              • VerSetConditionMask.KERNEL32(00000000), ref: 0020830A
                              • VerSetConditionMask.KERNEL32(00000000), ref: 0020830E
                              • VerifyVersionInfoW.KERNEL32(00000023), ref: 00208333
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: ConditionMask$InfoVerifyVersion
                              • String ID:
                              • API String ID: 2793162063-0
                              • Opcode ID: c78c3dd60aaec4a539b8a9e92562d32a5205f03fdcef12eafb7c02a10d23cba7
                              • Instruction ID: 9a2e61af260cd97c8d535971f71d4e8a4a20d738b799bab36afefe456617702c
                              • Opcode Fuzzy Hash: c78c3dd60aaec4a539b8a9e92562d32a5205f03fdcef12eafb7c02a10d23cba7
                              • Instruction Fuzzy Hash: 7B1144B0654304AEE770DF24DC0AFEB7BE8EF84B10F40481DB588D72C0D6B896588B96
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00200210 Relevance: 6.1, APIs: 4, Instructions: 51stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpyW.KERNEL32 ref: 00200234
                                • Part of subcall function 00207A20: FindResourceW.KERNEL32(00000000,?,00000005,?,?), ref: 00207A37
                                • Part of subcall function 00207A20: LoadResource.KERNEL32(00000000,00000000), ref: 00207A4A
                                • Part of subcall function 00207A20: LockResource.KERNEL32(00000000), ref: 00207A5B
                                • Part of subcall function 00207A20: SizeofResource.KERNEL32(00000000,00000000), ref: 00207A6E
                                • Part of subcall function 00207A20: LocalAlloc.KERNEL32(00000040,00000040), ref: 00207A84
                                • Part of subcall function 00207A20: FreeResource.KERNEL32(00000000), ref: 00207AA0
                                • Part of subcall function 00207A20: lstrlenW.KERNEL32(?), ref: 00207B1D
                              • DialogBoxIndirectParamW.USER32 ref: 0020025C
                              • LocalFree.KERNEL32(00000000,?,Function_0000FEA0,00000000), ref: 00200269
                              • lstrcmpiW.KERNEL32(0030D39C,?,?,Function_0000FEA0,00000000), ref: 0020027E
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Resource$FreeLocal$AllocDialogFindIndirectLoadLockParamSizeoflstrcmpilstrcpylstrlen
                              • String ID:
                              • API String ID: 2002630831-0
                              • Opcode ID: 811a0b7f7c7074d6cf929654c7d2ec463b3670c5ac92098781406a866486610c
                              • Instruction ID: 6eaefd426a8524c834c8dd3b33549231908e5364f264e94053e29e138616bd74
                              • Opcode Fuzzy Hash: 811a0b7f7c7074d6cf929654c7d2ec463b3670c5ac92098781406a866486610c
                              • Instruction Fuzzy Hash: EF01F575624305AFE720EF64FC8DBBB77DCEB44710F01002AFD0583292D6B0AC148662
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00206E40 Relevance: 6.1, APIs: 4, Instructions: 51stringCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: FreeLocallstrcmplstrcmpi
                              • String ID:
                              • API String ID: 2513707357-0
                              • Opcode ID: 1f40f52a8bf8e43c756cf7b0746051340fabec9c698a5f90a6b085a2a5ab03bf
                              • Instruction ID: 19b64f0b253ade99a7141852eb387df026602320d3116f4b69cf5bde8b5ccd9b
                              • Opcode Fuzzy Hash: 1f40f52a8bf8e43c756cf7b0746051340fabec9c698a5f90a6b085a2a5ab03bf
                              • Instruction Fuzzy Hash: A7118235610713DBCB149F28D94CB96F7A5FF40304F058525E96D93152DB70B8318BA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0020C534 Relevance: 6.0, APIs: 4, Instructions: 44stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00207A20: FindResourceW.KERNEL32(00000000,?,00000005,?,?), ref: 00207A37
                                • Part of subcall function 00207A20: LoadResource.KERNEL32(00000000,00000000), ref: 00207A4A
                                • Part of subcall function 00207A20: LockResource.KERNEL32(00000000), ref: 00207A5B
                                • Part of subcall function 00207A20: SizeofResource.KERNEL32(00000000,00000000), ref: 00207A6E
                                • Part of subcall function 00207A20: LocalAlloc.KERNEL32(00000040,00000040), ref: 00207A84
                                • Part of subcall function 00207A20: FreeResource.KERNEL32(00000000), ref: 00207AA0
                                • Part of subcall function 00207A20: lstrlenW.KERNEL32(?), ref: 00207B1D
                              • DialogBoxIndirectParamW.USER32 ref: 0020C556
                              • LocalFree.KERNEL32(00000000,?,Function_00011DE0,?), ref: 0020C563
                              • lstrcpyW.KERNEL32 ref: 0020C582
                              • CreateDirectoryW.KERNEL32(?,00000000,?,Function_00011DE0,?), ref: 0020C592
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Resource$FreeLocal$AllocCreateDialogDirectoryFindIndirectLoadLockParamSizeoflstrcpylstrlen
                              • String ID:
                              • API String ID: 3032008022-0
                              • Opcode ID: 405970a5f9df97195f659bfb8d1d15ebb3cd655583033c2d8afc971e5c30201a
                              • Instruction ID: 4887c72134e8afd3d7ec97015256aa69cd7ce9dd8f1d93bcea2fae21cba0940b
                              • Opcode Fuzzy Hash: 405970a5f9df97195f659bfb8d1d15ebb3cd655583033c2d8afc971e5c30201a
                              • Instruction Fuzzy Hash: 40012B376143005BE720AB60EC49FFFB3AC9F84301F464516F509D2082EE709D5486A2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0020D2FC Relevance: 6.0, APIs: 4, Instructions: 29windowCOMMON
                              Download Yara Rule
                              APIs
                              • ShowWindow.USER32 ref: 0020D30C
                              • GetFocus.USER32 ref: 0020D31C
                              • GetDlgCtrlID.USER32 ref: 0020D323
                              • SetFocus.USER32 ref: 0020D336
                                • Part of subcall function 00205C50: GetClientRect.USER32(?,?), ref: 00205C67
                                • Part of subcall function 00205C50: SendMessageW.USER32(?,00000005,00000000,?), ref: 00205C82
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Focus$ClientCtrlMessageRectSendShowWindow
                              • String ID:
                              • API String ID: 297912541-0
                              • Opcode ID: e43f63978e6696fc791c2491069e692d28cb672e480c4c2ffb0705524dd7760f
                              • Instruction ID: 5b3c582f8425e4289e26381da2c5bdc83d3ae322512152e5d995b33d4defc8a2
                              • Opcode Fuzzy Hash: e43f63978e6696fc791c2491069e692d28cb672e480c4c2ffb0705524dd7760f
                              • Instruction Fuzzy Hash: 58F082793297008BDB05AF70BC6D2ADB760EB50305F95882AE007C11E2DA7988958B13
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 002067E0 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                              Download Yara Rule
                              APIs
                              • SHGetSpecialFolderLocation.SHELL32(00000000,00000010,?), ref: 002067F0
                              • SHGetPathFromIDListW.SHELL32(?), ref: 002067FF
                              • CoTaskMemFree.OLE32(?), ref: 00206809
                              • GetWindowsDirectoryW.KERNEL32 ref: 00206815
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: DirectoryFolderFreeFromListLocationPathSpecialTaskWindows
                              • String ID:
                              • API String ID: 2330934124-0
                              • Opcode ID: f5409ed40631d2c83a7457be8b51e5012053126be617a298e37c13538874ac18
                              • Instruction ID: 748498d6bb8e43c65f7174f80818e9603b1aa2691e820d5cec7ec195a1e3289d
                              • Opcode Fuzzy Hash: f5409ed40631d2c83a7457be8b51e5012053126be617a298e37c13538874ac18
                              • Instruction Fuzzy Hash: 64E01A7A201210BBDB241B15FC0CEEB7F6CEBC5772F11C47AF54AC51A1CBB188219661
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 002067A0 Relevance: 6.0, APIs: 4, Instructions: 24COMMON
                              Download Yara Rule
                              APIs
                              • SHGetSpecialFolderLocation.SHELL32(00000000,00000005,?), ref: 002067AD
                              • SHGetPathFromIDListW.SHELL32(?), ref: 002067BC
                              • CoTaskMemFree.OLE32(?), ref: 002067C6
                              • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 002067D5
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: DirectoryFolderFreeFromListLocationPathSpecialTaskWindows
                              • String ID:
                              • API String ID: 2330934124-0
                              • Opcode ID: e8cfff39dcad0d434b71d5832e77d3c89f7a9192ac6abfa4f64afdff76d72cd4
                              • Instruction ID: d6dc58bb68cce63ae117105adb5ed9739d4d55585f696391b3af6704dc25367f
                              • Opcode Fuzzy Hash: e8cfff39dcad0d434b71d5832e77d3c89f7a9192ac6abfa4f64afdff76d72cd4
                              • Instruction Fuzzy Hash: 57E086B5201210BBEA101B10FD0DFDB7B5DEF40763F118059F506C10B0D7F04C20AA51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00258D36 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 306COMMONLIBRARYCODE
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID:
                              • String ID: 7!
                              • API String ID: 0-945759478
                              • Opcode ID: d9c7e984aea18a07d9207910d7e72508c7ffeace137cd843d2a041813794da79
                              • Instruction ID: beb114d6cc5bc0ce3a17c851230ec152b56fd016506b3dc98e8fe084f58a4fd1
                              • Opcode Fuzzy Hash: d9c7e984aea18a07d9207910d7e72508c7ffeace137cd843d2a041813794da79
                              • Instruction Fuzzy Hash: 7AA11732E312128FDF25EF68D8956ACB7F1AB55312F190029EC05B7291DBB14CA8CF59
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0024512F Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 301COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: __aulldiv
                              • String ID: fT$$fT$
                              • API String ID: 3732870572-1468700414
                              • Opcode ID: 688a526971a12a1e900ad88c9e4ff13b7aa968bcb8cb2abb22ba6f28d2945cd7
                              • Instruction ID: a6bb84a415476159ca1dbb0f9cc6bee4d63bd02702072d6b9aecc7871b7a00bd
                              • Opcode Fuzzy Hash: 688a526971a12a1e900ad88c9e4ff13b7aa968bcb8cb2abb22ba6f28d2945cd7
                              • Instruction Fuzzy Hash: 2DA13830A209299FCF2CDE68C8516FE7BA0AF51354F144156FCE1AB283D7B09D61CB10
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0024AC9F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID:
                              • String ID: @|0$C:\Users\user\Desktop\HkObDPju6Z.exe
                              • API String ID: 0-2962242468
                              • Opcode ID: 1cb98c25fadb02ee8e39c0c3c39817024573ec01cfbf73b7ea1924f2b7807843
                              • Instruction ID: 8c8c1e3fcfe282f131a9d55999045ef766ffd25ca1f5ab38fab5a87a4be5002c
                              • Opcode Fuzzy Hash: 1cb98c25fadb02ee8e39c0c3c39817024573ec01cfbf73b7ea1924f2b7807843
                              • Instruction Fuzzy Hash: A53104B1EA5214EFCB2AEF98DCC19AEBBACEB44711F100067F505A7240D7708D508B91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 002166C2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • EncodePointer.KERNEL32(00000000,?), ref: 002166E7
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: EncodePointer
                              • String ID: MOC$RCC
                              • API String ID: 2118026453-2084237596
                              • Opcode ID: 99061353041947eaba24de9dcb7baae09d421b8fb78929431eb3324a206c146e
                              • Instruction ID: 09a19c6397e1f64d01b60e73543d2ed0b975728202bc1655f5d36594f371b214
                              • Opcode Fuzzy Hash: 99061353041947eaba24de9dcb7baae09d421b8fb78929431eb3324a206c146e
                              • Instruction Fuzzy Hash: 41418A3291010AAFCF15DF98CC85AEEBBF5FF58308F158099F908672A1D33699A1DB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00216E57 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • ___TypeMatch.LIBVCRUNTIME ref: 00216EAC
                              • type_info::operator==.LIBVCRUNTIME ref: 00216F0E
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: MatchTypetype_info::operator==
                              • String ID: lU'
                              • API String ID: 445925684-3695900460
                              • Opcode ID: 2a97df5eb672b991712f0b5f09994ab774c5b3d93a8edd10d3c520742affc728
                              • Instruction ID: 3f88a165871e7e576da760fcd165d02d60b4c1f84030344f5e4cfa920c9cfc53
                              • Opcode Fuzzy Hash: 2a97df5eb672b991712f0b5f09994ab774c5b3d93a8edd10d3c520742affc728
                              • Instruction Fuzzy Hash: E1314A75A1021AAFCF00CF9CD9859EEBBF5EF68314B10816AE919E7301D231ED518F90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0021A0FD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 002176A1: pDNameNode::pDNameNode.LIBCMT ref: 002176C7
                              • DName::DName.LIBVCRUNTIME ref: 0021A1BC
                              • DName::operator+.LIBCMT ref: 0021A1CA
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: Name$Name::Name::operator+NodeNode::p
                              • String ID: Ph'
                              • API String ID: 3257498322-2614338406
                              • Opcode ID: fb67d16c2f2f10fdf0e004971c0bac308dc5aa9733f6a22a5406d80cd307b28b
                              • Instruction ID: 594fc015143670635f45fe5cba4b152e7191fdcd62e89d4b75417063cc470935
                              • Opcode Fuzzy Hash: fb67d16c2f2f10fdf0e004971c0bac308dc5aa9733f6a22a5406d80cd307b28b
                              • Instruction Fuzzy Hash: 4F216B71825209AFCB05DF94C8559EF7BF8EB24300F00815AE90A97251E7705AA4CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00219160 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: NameName::Name::operator+=
                              • String ID: h'
                              • API String ID: 2247604192-3475163958
                              • Opcode ID: 8e66c6875f85d3dd2bc66ee2d73839c8b11e3db4fe20dd9dd92c82c347a65b1d
                              • Instruction ID: 15bab43afeadfca242d6b8beb3e174b85833d0dc8f238816fc34bdfbc10664bd
                              • Opcode Fuzzy Hash: 8e66c6875f85d3dd2bc66ee2d73839c8b11e3db4fe20dd9dd92c82c347a65b1d
                              • Instruction Fuzzy Hash: 0611757581421ABBCB04EF94C8599EEBBF8EF60300F004455E40667281DB7097D4CE91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00212BF2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00213258
                              • ___raise_securityfailure.LIBCMT ref: 00213340
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: FeaturePresentProcessor___raise_securityfailure
                              • String ID: 8w0
                              • API String ID: 3761405300-2476651175
                              • Opcode ID: d17f1121f245c6a328cd1744991242a94937977b1a2ec87b4767ec4a4c05c0d3
                              • Instruction ID: eea2d2c33935dc592fda2d8d0b0ea60f3ede3c3754b321c871a5b426ea9bbcba
                              • Opcode Fuzzy Hash: d17f1121f245c6a328cd1744991242a94937977b1a2ec87b4767ec4a4c05c0d3
                              • Instruction Fuzzy Hash: E821D8B491A200DAD712DF19FCAA7547BE8FB08754F10D56BE908867A0E3B06981CF95
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 002411D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(00280270,0000000C,?), ref: 002411F0
                              • ExitThread.KERNEL32 ref: 002411F7
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: ErrorExitLastThread
                              • String ID: 7!
                              • API String ID: 1611280651-945759478
                              • Opcode ID: f99f0aa09196d531f9a035aa833a6cfd60407009f866af2c7f519887f2c321ed
                              • Instruction ID: b57e1effbf95daa53cf9e4e9499d3dc95001d198229d3da24403298fc5d8f864
                              • Opcode Fuzzy Hash: f99f0aa09196d531f9a035aa833a6cfd60407009f866af2c7f519887f2c321ed
                              • Instruction Fuzzy Hash: 8301AD31960205AFDF08BFB0E84AAAE7B79EF45310F114144F8159B2A1CB7059B1CF91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0024115D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39threadCOMMON
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(00280250,0000000C), ref: 00241170
                              • ExitThread.KERNEL32 ref: 00241177
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: ErrorExitLastThread
                              • String ID: 7!
                              • API String ID: 1611280651-945759478
                              • Opcode ID: 5e2debf90af827ffb46403da90e4272a14a5761885259dcad220715558cdf7b9
                              • Instruction ID: fa40d2ea754a36ad9c8b62b486fc7f534515dc301bd1917aef6cb4ea800c6703
                              • Opcode Fuzzy Hash: 5e2debf90af827ffb46403da90e4272a14a5761885259dcad220715558cdf7b9
                              • Instruction Fuzzy Hash: CAF0FF31A60205AFEB08BFB0D84BB6E7775EF41711F104049F4068B291CBB059A18FA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00206000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35stringCOMMON
                              Download Yara Rule
                              APIs
                              • PathFindExtensionW.SHLWAPI(?,.lnk,74CF8250), ref: 00206027
                              • lstrcmpiW.KERNEL32(00000000), ref: 0020602E
                                • Part of subcall function 00206080: CoCreateInstance.OLE32(0027378C,00000000,00000001,0026FD7C,?,0000C356,?), ref: 002060AF
                                • Part of subcall function 00206080: lstrcpyW.KERNEL32 ref: 002060DB
                                • Part of subcall function 00206080: ExpandEnvironmentStringsW.KERNEL32(?,?,00000138), ref: 00206152
                                • Part of subcall function 00206080: lstrcpynW.KERNEL32(?,?,?), ref: 0020616C
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.462974099.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                              • Associated: 00000006.00000002.462961350.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463050612.0000000000283000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463056418.0000000000284000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.0000000000307000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463112228.000000000030B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000006.00000002.463128952.000000000030E000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1f0000_HkObDPju6Z.jbxd
                              Similarity
                              • API ID: CreateEnvironmentExpandExtensionFindInstancePathStringslstrcmpilstrcpylstrcpyn
                              • String ID: .lnk
                              • API String ID: 2874927818-24824748
                              • Opcode ID: 90905303135ee6c4e85883ff2691c78e78e775cea2a5e3513597a29ebad363bd
                              • Instruction ID: f57f068a27a158e5214f88cc1a1f0ccb2c5b44206202e5ac8172d119b78f2edd
                              • Opcode Fuzzy Hash: 90905303135ee6c4e85883ff2691c78e78e775cea2a5e3513597a29ebad363bd
                              • Instruction Fuzzy Hash: 83F0F670A603204BDB34EF24E84E7EE33D4BB68310F444819F845862D1EEB845B486C2
                              Uniqueness

                              Uniqueness Score: -1.00%