Edit tour

Windows Analysis Report
ab.exe

Overview

General Information

Sample Name:	ab.exe
Analysis ID:	1730341
MD5:	0b486fe0503524cfe4726a4022fa6a68
SHA1:	297dea71d489768ce45d23b0f8a45424b469ab00
SHA256:	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2
Infos:

Detection

Avaddon

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Found detection on Joe Sandbox Cloud Basic

Antivirus detection for dropped file

Machine Learning detection for dropped file

Spreads via windows shares (copies files to share folders)

Deletes shadow drive data (may be related to ransomware)

Creates processes via WMI

Uses 32bit PE files

Checks if the current process is being debugged

Checks for available system drives (often done to infect USB drives)

Classification

Process Tree

System is start

ab.exe (PID: 2704 cmdline: "C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe" MD5: 0B486FE0503524CFE4726A4022FA6A68)

ab.exe (PID: 4556 cmdline: "C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe" MD5: 0B486FE0503524CFE4726A4022FA6A68)

WMIC.exe (PID: 6576 cmdline: wmic SHADOWCOPY DELETE /nointeractive MD5: 82BB8430531876FBF5266E53460A393E)

conhost.exe (PID: 3392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: D837FA4DEE7D84C19FF6F71FC48A6625)

WMIC.exe (PID: 5372 cmdline: wmic SHADOWCOPY DELETE /nointeractive MD5: 82BB8430531876FBF5266E53460A393E)

conhost.exe (PID: 5956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: D837FA4DEE7D84C19FF6F71FC48A6625)

WMIC.exe (PID: 5540 cmdline: wmic SHADOWCOPY DELETE /nointeractive MD5: 82BB8430531876FBF5266E53460A393E)

conhost.exe (PID: 412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: D837FA4DEE7D84C19FF6F71FC48A6625)

WMIC.exe (PID: 7136 cmdline: wmic SHADOWCOPY DELETE /nointeractive MD5: A2EF3F0AD95FDA9262A5F9533B6DD1BD)

conhost.exe (PID: 460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: D837FA4DEE7D84C19FF6F71FC48A6625)

WMIC.exe (PID: 5968 cmdline: wmic SHADOWCOPY DELETE /nointeractive MD5: A2EF3F0AD95FDA9262A5F9533B6DD1BD)

conhost.exe (PID: 3084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: D837FA4DEE7D84C19FF6F71FC48A6625)

WMIC.exe (PID: 3836 cmdline: wmic SHADOWCOPY DELETE /nointeractive MD5: A2EF3F0AD95FDA9262A5F9533B6DD1BD)

conhost.exe (PID: 4316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: D837FA4DEE7D84C19FF6F71FC48A6625)

ab.exe (PID: 6468 cmdline: C:\Users\abbas\AppData\Roaming\Microsoft\Windows\ab.exe MD5: 0B486FE0503524CFE4726A4022FA6A68)

cleanup

Yara Overview

⊘No yara matches

Sigma Overview

⊘No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: ab.exe	Virustotal: Detection: 86%	Perma Link
Source: ab.exe	Metadefender: Detection: 65%	Perma Link
Source: ab.exe	ReversingLabs: Detection: 96%

Antivirus detection for dropped file

Source: C:\Users\abbas\AppData\Roaming\Microsoft\Windows\ab.exe

Avira: detection malicious, Label: HEUR/AGEN.1136765

Machine Learning detection for dropped file

Source: C:\Users\abbas\AppData\Roaming\Microsoft\Windows\ab.exe

Joe Sandbox ML: detected

Source: ab.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File created: C:\Users\abbas\Desktop\GAOBCVIQIJ\GVYSd_readme_.txt
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File created: C:\Users\abbas\Desktop\GVYSd_readme_.txt
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File created: \\DC-01\public\GVYSd_readme_.txt
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File created: C:\Users\abbas\Desktop\QCFWYSKMHA\GVYSd_readme_.txt

Source: ab.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Spreading

Spreads via windows shares (copies files to share folders)

Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File created: Z:\$RECYCLE.BIN
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File created: Z:\$RECYCLE.BIN\S-1-5-21-3384971621-2488082584-654606338-1105
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File created: Z:\$RECYCLE.BIN\S-1-5-21-3384971621-2488082584-654606338-1105\desktop.ini

Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File opened: z:
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File opened: x:
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File opened: v:
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File opened: t:
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File opened: r:
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File opened: p:
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File opened: n:
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File opened: l:
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File opened: j:
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File opened: h:
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File opened: f:
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File opened: d:
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File opened: b:
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File opened: y:
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File opened: w:
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File opened: u:
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File opened: s:
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File opened: q:
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File opened: o:
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File opened: m:
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File opened: k:
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File opened: i:
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File opened: g:
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File opened: e:
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File opened: c:
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File opened: a:

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: 140.31.126.40.in-addr.arpa

Spam, unwanted Advertisements and Ransom Demands

Deletes shadow drive data (may be related to ransomware)

Source: unknown	Process created: C:\Windows\System32\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: unknown	Process created: C:\Windows\System32\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: unknown	Process created: C:\Windows\System32\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive

System Summary

Found detection on Joe Sandbox Cloud Basic

Source: ab.exe

Joe Sandbox Cloud Basic: Detection: malicious Score: 100 Threat Name: Avaddon

Perma Link

Source: ab.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: ab.exe	Virustotal: Detection: 86%
Source: ab.exe	Metadefender: Detection: 65%
Source: ab.exe	ReversingLabs: Detection: 96%

Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe

File read: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe

Source: ab.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: unknown	Process created: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe "C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe"
Source: unknown	Process created: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe "C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe"
Source: unknown	Process created: C:\Windows\System32\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: unknown	Process created: C:\Users\abbas\AppData\Roaming\Microsoft\Windows\ab.exe C:\Users\abbas\AppData\Roaming\Microsoft\Windows\ab.exe

Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe

File created: C:\Users\abbas\AppData\Roaming\Microsoft\Windows\ab.exe

Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe

File written: C:\$RECYCLE.BIN\S-1-5-21-3384971621-2488082584-654606338-1105\desktop.ini

Source: classification engine

Classification label: mal80.rans.spre.winEXE@18/46@9/0

Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe

File read: C:\$RECYCLE.BIN\S-1-5-21-3384971621-2488082584-654606338-1105\desktop.ini

Source: ab.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ab.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ab.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ab.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ab.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ab.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: ab.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: ab.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: ab.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ab.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ab.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ab.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ab.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File created: C:\Users\abbas\Desktop\GAOBCVIQIJ\GVYSd_readme_.txt
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File created: C:\Users\abbas\Desktop\GVYSd_readme_.txt
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File created: \\DC-01\public\GVYSd_readme_.txt
Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe	File created: C:\Users\abbas\Desktop\QCFWYSKMHA\GVYSd_readme_.txt

Source: C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe

Process queried: DebugPort

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	11 Windows Management Instrumentation	Path Interception	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	1 Taint Shared Content	Data from Local System	Exfiltration Over Other Network Medium	1 Non-Application Layer Protocol	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	1 Replication Through Removable Media	Data from Removable Media	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	11 Peripheral Device Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 File Deletion	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ab.exe	87%	Virustotal		Browse
ab.exe	66%	Metadefender		Browse
ab.exe	96%	ReversingLabs	Win32.Ransomware.Avaddon

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\abbas\AppData\Roaming\Microsoft\Windows\ab.exe	100%	Avira	HEUR/AGEN.1136765
C:\Users\abbas\AppData\Roaming\Microsoft\Windows\ab.exe	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
252.0.0.224.in-addr.arpa	0%	Virustotal		Browse
251.0.0.224.in-addr.arpa	0%	Virustotal		Browse

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
140.31.126.40.in-addr.arpa	unknown	unknown	true		unknown
13.173.189.20.in-addr.arpa	unknown	unknown	true		unknown
252.0.0.224.in-addr.arpa	unknown	unknown	true	0%, Virustotal, Browse	unknown
251.0.0.224.in-addr.arpa	unknown	unknown	true	0%, Virustotal, Browse	unknown
1.1.1.1.in-addr.arpa	unknown	unknown	true		unknown
250.255.255.239.in-addr.arpa	unknown	unknown	true		unknown
254.81.26.67.in-addr.arpa	unknown	unknown	true		unknown
209.205.72.20.in-addr.arpa	unknown	unknown	true		unknown
254.158.27.67.in-addr.arpa	unknown	unknown	true		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	1730341
Start date:	01.02.2022
Start time:	12:14:29
Joe Sandbox Product:	Cloud
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ab.exe
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.rans.spre.winEXE@18/46@9/0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MusNotification.exe, dllhost.exe, consent.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, VSSVC.exe, svchost.exe, UsoClient.exe
Excluded IPs from analysis (whitelisted): 20.189.173.13, 20.83.130.102, 20.72.205.209, 67.27.158.254, 8.248.119.254, 67.27.159.254, 8.253.95.120, 67.27.158.126, 67.26.81.254, 8.248.149.254, 67.27.159.126, 92.123.195.41, 92.123.195.57
Excluded domains from analysis (whitelisted): client.wns.windows.com, 102.1.168.192.in-addr.arpa, fg.download.windowsupdate.com.c.footprint.net, wd-prod-cp-us-east-3-fe.eastus.cloudapp.azure.com, wu-shim.trafficmanager.net, 90.1.168.192.in-addr.arpa, ctldl.windowsupdate.com, 111.1.168.192.in-addr.arpa, wdcp.microsoft.com, a767.dspw65.akamai.net, wd-prod-cp.trafficmanager.net, 201.1.168.192.in-addr.arpa, settingsfd-geo.trafficmanager.net, download.windowsupdate.com.edgesuite.net, onedscolprdwus12.westus.cloudapp.azure.com, 255.1.168.192.in-addr.arpa, wpad.ad01.local, c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa, 3.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa, _ldap._tcp.Default-First-Site-Name._sites.ad01.local, 107.1.168.192.in-addr.arpa, f.4.f.0.c.f.d.2.f.c.0.e.e.c.9.2.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 1.1.1.1.in-addr.arpa

Created / dropped Files

C:\$RECYCLE.BIN\S-1-5-21-3384971621-2488082584-654606338-1105\desktop.ini

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	Windows desktop.ini, ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	129
Entropy (8bit):	5.323600488446077
Encrypted:	false
SSDEEP:
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	low
Preview:	[.ShellClassInfo]..CLSID={645FF040-5081-101B-9F08-00AA002F954E}..LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-8964..

C:\Users\abbas\AppData\Roaming\Microsoft\Windows\ab.exe

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	794112
Entropy (8bit):	6.16411908069709
Encrypted:	false
SSDEEP:
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9.I.}.'}}.'}}.'}i.$\|l.'}i."\|.'}i.#\|j.'}i.!\|..'}..#\|l.'}..$\|k.'}.."\|.'}i.&\|j.'}}.&}..'}...\|l.'}...}\|.'}}..}\|.'}..%\|\|.'}Rich}.'}................PE..L...G.h`....................................@....@..........................`............@.................................. ..................................D...,n..8...........................hn..@............@..X............................text...L(......................... ..`.rdata.......@......................@..@.data....x...@...h..."..............@....rsrc...............................@..@.reloc..D...........................@..B........................................................................................................................................................................................................................................................................................

C:\Users\abbas\Desktop\DUUDTUBZFW.png

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.980003303855256
Encrypted:	false
SSDEEP:
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	low
Preview:	o..6.Nt..V9..{.E;..T....Y...(.=Di@..Y...."&.,:.l.....y.:.o..J.a@.mb..`.%g..p.....7.m.a... ak..u..o..........t.ba..67..xLw.nh..q.j.xz..[n.....x..O....l.e...D.u.b(.........c..{_.....b....a}rE.A^.dWhw......A...6.$GB..9b(.U...O.p..yk-<./.......m+b..:..o..=..iYY.C.....]V.^....2.`...Kd.:..N...D.,..g..L...jAd}..J..-r..H..~...U.....)W...u..r...q Q.^....P.2...Q..u.!.\..x.8h.......E....D.?%>ls.?..Bn..?........O..$..^..~.....`_...l.Xs.f....X..C.]..E_.(...Tk.F.a.[.....bZ..c.T.......~O.d....&-U....w.mn7..-.B^a...0.X..%..f..-..)........Q`.w'L...-".I......7$.~.w....<.d.....Jg.......r...].u.}.]..;.np.........f.$..w.........>.C...g.q.....j.....r.W..;!..(.}.m.......6..f..)../....4J.nc"....9:..../DR.A< ...8,......>..3..u....n......#.G..9^y2.Ee):..0.q.g..V......ul...P2.t..#.I.'./...X......b..Q.[;..I^x}]L}.V....c3.7.K.>2.&!.f....g.]Z.1\.6.8!.......\|.....fv.y.c..i..%..vL....8~...T...W.Z&=..........,.bC..r......5.y..H.X@...B.....2K.#.3(...3-..z11...,..].fa.....

C:\Users\abbas\Desktop\DUUDTUBZFW.png.bbdabdeEdE (copy)

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.980003303855256
Encrypted:	false
SSDEEP:
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	low
Preview:	o..6.Nt..V9..{.E;..T....Y...(.=Di@..Y...."&.,:.l.....y.:.o..J.a@.mb..`.%g..p.....7.m.a... ak..u..o..........t.ba..67..xLw.nh..q.j.xz..[n.....x..O....l.e...D.u.b(.........c..{_.....b....a}rE.A^.dWhw......A...6.$GB..9b(.U...O.p..yk-<./.......m+b..:..o..=..iYY.C.....]V.^....2.`...Kd.:..N...D.,..g..L...jAd}..J..-r..H..~...U.....)W...u..r...q Q.^....P.2...Q..u.!.\..x.8h.......E....D.?%>ls.?..Bn..?........O..$..^..~.....`_...l.Xs.f....X..C.]..E_.(...Tk.F.a.[.....bZ..c.T.......~O.d....&-U....w.mn7..-.B^a...0.X..%..f..-..)........Q`.w'L...-".I......7$.~.w....<.d.....Jg.......r...].u.}.]..;.np.........f.$..w.........>.C...g.q.....j.....r.W..;!..(.}.m.......6..f..)../....4J.nc"....9:..../DR.A< ...8,......>..3..u....n......#.G..9^y2.Ee):..0.q.g..V......ul...P2.t..#.I.'./...X......b..Q.[;..I^x}]L}.V....c3.7.K.>2.&!.f....g.]Z.1\.6.8!.......\|.....fv.y.c..i..%..vL....8~...T...W.Z&=..........,.bC..r......5.y..H.X@...B.....2K.#.3(...3-..z11...,..].fa.....

C:\Users\abbas\Desktop\GAOBCVIQIJ.docx

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.97860916412443
Encrypted:	false
SSDEEP:
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	low
Preview:	....].4.............6.F.&.3R.....Mm.,...3t..7...E^I.O....5..:"...?!.90.B.....M\|..M.R}O\q:.<.O.0qMJ./j......(..)..O.ro.oK-.4.........x...,'.k.....:h....a}u.X.:`a...s.QZ.W..2SD..7)N.....VN...1.D!E.-u....&h2E).oSJW...e.\|.5..:...A].Lw......q.d..\.].{.p..YT....`)0.....P.......b.y....x.H"..0.iW<.p.j.i.t....B...< ....X..Y~WF...T.s.-...Q.:(......my...4.n.g{...........3c.K}.D.X..j!..ni...+..^%u...k[...U..o...D...B...[].i.x.X.......k.[9..0.79\|..._..f.....K./D.........>..SkT.:.c.Z..L.....e.L...<n.a\|..#=...ic`6&o.V.xo.o.p>.....^...''K...k/...{.u..)l........v...d..8)N\....I......-;=..`.a^......aS......i.k.......].P.......S$.tGn..C...Zu..e.B.(..+>.d..d.J+_...o..X$.....v....B.d6..-LY.........P......{.~.Z.u...{.J.K..........Z..........T.N..m...+.G....{..\|..O...N.M.e.r.0........n..K/..{.-h..X./X.DI.L...+.1).+.o.r.x.f.K^...8..q...u...3.Q....o..g.U...5.%...t#..a(W/L.\|.....g......(...s.4.Y<.Q}..ll...x.g.oD0...M?J....w..=."..3...`V.P.

C:\Users\abbas\Desktop\GAOBCVIQIJ.docx.bbdabdeEdE (copy)

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.97860916412443
Encrypted:	false
SSDEEP:
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	low
Preview:	....].4.............6.F.&.3R.....Mm.,...3t..7...E^I.O....5..:"...?!.90.B.....M\|..M.R}O\q:.<.O.0qMJ./j......(..)..O.ro.oK-.4.........x...,'.k.....:h....a}u.X.:`a...s.QZ.W..2SD..7)N.....VN...1.D!E.-u....&h2E).oSJW...e.\|.5..:...A].Lw......q.d..\.].{.p..YT....`)0.....P.......b.y....x.H"..0.iW<.p.j.i.t....B...< ....X..Y~WF...T.s.-...Q.:(......my...4.n.g{...........3c.K}.D.X..j!..ni...+..^%u...k[...U..o...D...B...[].i.x.X.......k.[9..0.79\|..._..f.....K./D.........>..SkT.:.c.Z..L.....e.L...<n.a\|..#=...ic`6&o.V.xo.o.p>.....^...''K...k/...{.u..)l........v...d..8)N\....I......-;=..`.a^......aS......i.k.......].P.......S$.tGn..C...Zu..e.B.(..+>.d..d.J+_...o..X$.....v....B.d6..-LY.........P......{.~.Z.u...{.J.K..........Z..........T.N..m...+.G....{..\|..O...N.M.e.r.0........n..K/..{.-h..X./X.DI.L...+.1).+.o.r.x.f.K^...8..q...u...3.Q....o..g.U...5.%...t#..a(W/L.\|.....g......(...s.4.Y<.Q}..ll...x.g.oD0...M?J....w..=."..3...`V.P.

C:\Users\abbas\Desktop\GAOBCVIQIJ\GAOBCVIQIJ.docx

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.97744184456267
Encrypted:	false
SSDEEP:
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	low
Preview:	...#1...g......^e.\|..0.r.<V?..e.]......p.{.\|5.....n....w.a_....eC.\....aW"U2.....N...QKXl.uYm....]#q. FE....wq...<..tC.....8^:.-M....I.~.6y.PL...B.e.)z..i}.5..b<...).d...D."..=.....&K.(...../}.NWH...MbB.......Y.'...x......P..l.L..\|....k..\mb....@...".....Ia..._.s...i..../....W.....l F@..B....Rt..+..b..-.Q...s..i...i}...1..M.-'..O.}..;6..x...Wh..v.<s.S.........-...C.........mpH}.@.K4..-..k....X.J.~....L.....aY..S.d..O......[.5...z+s./...Hb..0..4_+...4.=9.).K,..VC..v.. ..t`m.:.....Q.2..@.r$Ku=..0b...e.i.&=N.F..Q.......(..../7.O.@.....S.Fwd#...A...v..Ie.Y.2.2....$MY}..+A...7...^6....Z...3.........e....Zl..F...svT.j.qB.1$.4.....c..H.f.?V..^W.&k.\S.vs-T$..I...h5....S..1`..5.....[.UT.>2.j>.sCo...}H..Wg..V......../..0.f..@......c..1...E...[3..uW.1. .0...v.5.\.Y..\|.........M..l^O../..C......+<.....fK..a.<.u...ao...x.C..k>.....Q(.5...U....c.t0sHG..F......;.Z...8z.....bO..v.Y ..q...I.....8f.\|.e...v"....%..Qc,...A .L.oKE..`o....m..8.s.

C:\Users\abbas\Desktop\GAOBCVIQIJ\GAOBCVIQIJ.docx.bbdabdeEdE (copy)

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.97744184456267
Encrypted:	false
SSDEEP:
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	low
Preview:	...#1...g......^e.\|..0.r.<V?..e.]......p.{.\|5.....n....w.a_....eC.\....aW"U2.....N...QKXl.uYm....]#q. FE....wq...<..tC.....8^:.-M....I.~.6y.PL...B.e.)z..i}.5..b<...).d...D."..=.....&K.(...../}.NWH...MbB.......Y.'...x......P..l.L..\|....k..\mb....@...".....Ia..._.s...i..../....W.....l F@..B....Rt..+..b..-.Q...s..i...i}...1..M.-'..O.}..;6..x...Wh..v.<s.S.........-...C.........mpH}.@.K4..-..k....X.J.~....L.....aY..S.d..O......[.5...z+s./...Hb..0..4_+...4.=9.).K,..VC..v.. ..t`m.:.....Q.2..@.r$Ku=..0b...e.i.&=N.F..Q.......(..../7.O.@.....S.Fwd#...A...v..Ie.Y.2.2....$MY}..+A...7...^6....Z...3.........e....Zl..F...svT.j.qB.1$.4.....c..H.f.?V..^W.&k.\S.vs-T$..I...h5....S..1`..5.....[.UT.>2.j>.sCo...}H..Wg..V......../..0.f..@......c..1...E...[3..uW.1. .0...v.5.\.Y..\|.........M..l^O../..C......+<.....fK..a.<.u...ao...x.C..k>.....Q(.5...U....c.t0sHG..F......;.Z...8z.....bO..v.Y ..q...I.....8f.\|.e...v"....%..Qc,...A .L.oKE..`o....m..8.s.

C:\Users\abbas\Desktop\GAOBCVIQIJ\GVYSd_readme_.txt

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	ASCII text, with very long lines, with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	3775
Entropy (8bit):	5.73339183790735
Encrypted:	false
SSDEEP:
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	low
Preview:	-------=== Your network has been infected! ===-------.........*************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************.........All your documents, photos, databases and other important files have been encrypted and have the extension: .bbdabdeEdE......You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!......The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!......We have also downloaded a lot of private data from your network....If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.......You can get more information on our page, which is located in a Tor hidden network..........How to get to our page...----------------------------------------------------------------------------

C:\Users\abbas\Desktop\GAOBCVIQIJ\PIVFAGEAAV.mp3

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.979265732844343
Encrypted:	false
SSDEEP:
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	low
Preview:	[1...y..<....fq.ty...@`.v..'..)#....R......R.S +.HC.a...C.7P>.......v..d...D=.H".CF..xg.8..>...;..).....$.....>..,.X. ..........:0al...W.o..\i.0....y.8I..}.......6.D\./5..:.......Ky.5.A....">9`..%j..d..C....nL.p.^..#..{.al.,.8..}..J.l...Y..w........L....^[..b..M.O......S%..R.....ef...t..P...E...._E.Q148R..^....@.U.ak.j........Hy.2....tkw.G.f@..'5x......t.e5.;Q..`.!.}....A9..-.U%....p<..RbJ.b./..dZ..C.=.k....p../.p..$v..tP.4y...dR#F...!..>z.K....._?.y;.2.<8....x.L....).F. x..$..Pj.O.ZWU.3Xw."...,P....$..ne.H.z'.....b..aA1....d.y.....q.Z.....U.V.g...D.0m.D.~.....b..'q....X.d.;..T}......P^Z.TL.;....A.}.CoHQ......Z.......hw... u,E.7.FG.M.7.W.E{[..=+.U7..w.0...l....FQ..kW.a...@.U.x...,...z.-]....{..;-.).u..".H......"Q.oc.z......K9.....(...Hpr...f..H..Bc..j.....g.#...$.]..dN...l...U.).=ZU...ng'k...6k.)..D.vJ...2.q....C...u.\5.:C.i/..X.)\|C=.?.i.;...[...j<.I?.. +.q..[.0.$..l..C9N.f~...I`...i...9...b.".]s."..dF.V..S....X.!.$..z?a.5}9..$D.d.I...y.....

C:\Users\abbas\Desktop\GAOBCVIQIJ\PIVFAGEAAV.mp3.bbdabdeEdE (copy)

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.979265732844343
Encrypted:	false
SSDEEP:
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	low
Preview:	[1...y..<....fq.ty...@`.v..'..)#....R......R.S +.HC.a...C.7P>.......v..d...D=.H".CF..xg.8..>...;..).....$.....>..,.X. ..........:0al...W.o..\i.0....y.8I..}.......6.D\./5..:.......Ky.5.A....">9`..%j..d..C....nL.p.^..#..{.al.,.8..}..J.l...Y..w........L....^[..b..M.O......S%..R.....ef...t..P...E...._E.Q148R..^....@.U.ak.j........Hy.2....tkw.G.f@..'5x......t.e5.;Q..`.!.}....A9..-.U%....p<..RbJ.b./..dZ..C.=.k....p../.p..$v..tP.4y...dR#F...!..>z.K....._?.y;.2.<8....x.L....).F. x..$..Pj.O.ZWU.3Xw."...,P....$..ne.H.z'.....b..aA1....d.y.....q.Z.....U.V.g...D.0m.D.~.....b..'q....X.d.;..T}......P^Z.TL.;....A.}.CoHQ......Z.......hw... u,E.7.FG.M.7.W.E{[..=+.U7..w.0...l....FQ..kW.a...@.U.x...,...z.-]....{..;-.).u..".H......"Q.oc.z......K9.....(...Hpr...f..H..Bc..j.....g.#...$.]..dN...l...U.).=ZU...ng'k...6k.)..D.vJ...2.q....C...u.\5.:C.i/..X.)\|C=.?.i.;...[...j<.I?.. +.q..[.0.$..l..C9N.f~...I`...i...9...b.".]s."..dF.V..S....X.!.$..z?a.5}9..$D.d.I...y.....

C:\Users\abbas\Desktop\GAOBCVIQIJ\PWCCAWLGRE.jpg

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	data
Category:	modified
Size (bytes):	8728
Entropy (8bit):	7.9760042591280165
Encrypted:	false
SSDEEP:
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	low
Preview:	0...u.h.W..6.X>..a...Q."..P..u.6.....{+...QP.u..N.ic.Z(................\p..Q..?>xKiL6.....9.7....Y...Z=K.y..3..=..'..U......`.-....l.,N...../$.G...X.-.........MYd.1V/.+....FiO.7.R...j"...../.....P..F.t..d..Z[h.k.@....P#..\..=~.x".PC,..}.~..,...iAG..l..\|P..<..Ak..O2..G.@.........F.L.:.'..m..EEqdwM..BF2n..(._)..09s.z.%....!......_.V..:..5.7st...2Y...J\|.].P.h.\|"(.D...pY....)E.R..YDY.).yc.....~"....%6...o..`.((p.}C^..'M...6b....a..j...4...V-..iB.#..X..r...].k.Oh.~..4.....%.z.......s...!U].gP.Y...J.F\h...hC....w.E......F..S....&v...Rx....~...}..4Y~..N...8.G..K.~#....c.\ ?........:8..K.,.o......l.8.4MG...z..y.&......>f.{r..\.C..;.{.Ci.a.!.V..:...2...N).!h.I...^\|......F.. .H...p......!...F.....x.....<.._:...Z...S........M..X'..;41&z.)....t+(ndF.!@}."o.Cs.3.wg.U..l0lu95.?..&...>I.......jA..-...*.`.^rz....o.UV.<S..a.z.uq..'...\.s.....eC..;Dv.rf.1...TY.X..A.LuR._l$...k....A..b.....t..z.U..g!."....p.{..Y.w..s.(.Y]..=H..;n........F.'.._....Z..

C:\Users\abbas\Desktop\GAOBCVIQIJ\PWCCAWLGRE.jpg.bbdabdeEdE (copy)

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.9760042591280165
Encrypted:	false
SSDEEP:
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	low
Preview:	0...u.h.W..6.X>..a...Q."..P..u.6.....{+...QP.u..N.ic.Z(................\p..Q..?>xKiL6.....9.7....Y...Z=K.y..3..=..'..U......`.-....l.,N...../$.G...X.-.........MYd.1V/.+....FiO.7.R...j"...../.....P..F.t..d..Z[h.k.@....P#..\..=~.x".PC,..}.~..,...iAG..l..\|P..<..Ak..O2..G.@.........F.L.:.'..m..EEqdwM..BF2n..(._)..09s.z.%....!......_.V..:..5.7st...2Y...J\|.].P.h.\|"(.D...pY....)E.R..YDY.).yc.....~"....%6...o..`.((p.}C^..'M...6b....a..j...4...V-..iB.#..X..r...].k.Oh.~..4.....%.z.......s...!U].gP.Y...J.F\h...hC....w.E......F..S....&v...Rx....~...}..4Y~..N...8.G..K.~#....c.\ ?........:8..K.,.o......l.8.4MG...z..y.&......>f.{r..\.C..;.{.Ci.a.!.V..:...2...N).!h.I...^\|......F.. .H...p......!...F.....x.....<.._:...Z...S........M..X'..;41&z.)....t+(ndF.!@}."o.Cs.3.wg.U..l0lu95.?..&...>I.......jA..-...*.`.^rz....o.UV.<S..a.z.uq..'...\.s.....eC..;Dv.rf.1...TY.X..A.LuR._l$...k....A..b.....t..z.U..g!."....p.{..Y.w..s.(.Y]..=H..;n........F.'.._....Z..

C:\Users\abbas\Desktop\GAOBCVIQIJ\QCFWYSKMHA.pdf

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.980989009458387
Encrypted:	false
SSDEEP:
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	low
Preview:	.Q.a.....`...;.N..j..}0.O5..C.V....{.I.t..8...p....m...v...m..jA&.5.Y..H+h.6....v.N.n.p.[.F.DE.[...c+W.$....c.#.0...H.z.g.K..M`}.%...e_...e.kj.].1q<..@}..4A.T....<.R....+..X.%.....1?..[...g.3\l.r...&...6...\.#.....'#...."..O.`..'H.v+..V..n/.Z.......}P...M..gt.'....G.&..........f'.sj#...D..L...0v#.'.B.X.R .........j5...y=..\|ncIWm...[f.{.;.e...QT.[G..D....=..>.n....[&.;..........Y.$...8.FZ....KA%VSm-!.j.....Q....P...R.....E...2T...)'..}8.....D.^.~..... .f/.D!7....T....t...@b,z.^sY?qbv....D9..H3.L..+..8.G...c....i..7$.Qm.F8..y.0..N..<..0...0.f..4?..&......kE.o...#....@o.Y.=?D....I)W...y..1..x3......H...EL.J.souk.._j.......4.....9...=...x..8}..K..kr.@.h...\%.........E.:.P\|.p3s..?.io.iO....w@.M(...S.l../.R.a{..........kF.A[..Z........R...w...8.........P.G...Hb..M@ .%....s0q.W...~ #.......(../..0...N..M..n\|..a$..D. .Z..V..+.q..W..s.......aJ....U..x.... ....N.R.....y...9.b.9....Q..i.L..DX.....l.?Yj?...?J..VK.(.}.t..eY./...mip....;.2...

C:\Users\abbas\Desktop\GAOBCVIQIJ\QNCYCDFIJJ.xlsx

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.976139977910017
Encrypted:	false
SSDEEP:
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	low
Preview:	.-..e.U....;..8...@:..i........\|rK\.....7..4.+.M..P@..~.....SP,f.a..mU.....~.MvZ.-5M...[..L2.G..N.APa..o.^_^...#.4...%.}`.dn..4....1..m.......I.v..=JR.......]TI...K...[..8).f.C6F\.....O....z6kt.=$OC.f..G....G...E.8....e.Ae.?M....)Junr.x..b.......E.>..s-.....t..T@.]C.t-..C....:PF....8.......m....K...@._B....C..$.T...d.W.Oj[6zl+o.!....7.?g....Z[mM..h.....6e..I.Wu4.N_P.!.G...i.Nr......".H...$7.Z.@..X.~.lrC.^`......Rd.~....C..\.k.K............S..j......M.J.v0..x.....].....h.dnw.p.&y...*....e........8...Y...B..1..`....R..z%4...'U....d.X}........&...v+...8T.(.w..xaXkdm`r>.ZIf".."..2J..S.3.`.fuG2<W(.....JQ.;b....c.e-!BF.E.i#g. .;a..9.......A[M......ry{I7;.]....G.r<....Q"..R.'....J\|.P./.&.H.<Z"....x..e..R...&..]...2.rI.L2d.O...@...&...F......a.p.%:.A..C0,....R}.......7.t\o..c)..H..._..J.s.P.W![z.x.o....\|t6..Z.i.....~.w.[......Q...d.............&'...%5UA..,.r5..&...=^..OY.r.`.?.....8O..........5.AeBOu.Qz..a4/...x...5..1LD....:

C:\Users\abbas\Desktop\GAOBCVIQIJ\QNCYCDFIJJ.xlsx.bbdabdeEdE (copy)

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.976139977910017
Encrypted:	false
SSDEEP:
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	low
Preview:	.-..e.U....;..8...@:..i........\|rK\.....7..4.+.M..P@..~.....SP,f.a..mU.....~.MvZ.-5M...[..L2.G..N.APa..o.^_^...#.4...%.}`.dn..4....1..m.......I.v..=JR.......]TI...K...[..8).f.C6F\.....O....z6kt.=$OC.f..G....G...E.8....e.Ae.?M....)Junr.x..b.......E.>..s-.....t..T@.]C.t-..C....:PF....8.......m....K...@._B....C..$.T...d.W.Oj[6zl+o.!....7.?g....Z[mM..h.....6e..I.Wu4.N_P.!.G...i.Nr......".H...$7.Z.@..X.~.lrC.^`......Rd.~....C..\.k.K............S..j......M.J.v0..x.....].....h.dnw.p.&y...*....e........8...Y...B..1..`....R..z%4...'U....d.X}........&...v+...8T.(.w..xaXkdm`r>.ZIf".."..2J..S.3.`.fuG2<W(.....JQ.;b....c.e-!BF.E.i#g. .;a..9.......A[M......ry{I7;.]....G.r<....Q"..R.'....J\|.P./.&.H.<Z"....x..e..R...&..]...2.rI.L2d.O...@...&...F......a.p.%:.A..C0,....R}.......7.t\o..c)..H..._..J.s.P.W![z.x.o....\|t6..Z.i.....~.w.[......Q...d.............&'...%5UA..,.r5..&...=^..OY.r.`.?.....8O..........5.AeBOu.Qz..a4/...x...5..1LD....:

C:\Users\abbas\Desktop\GAOBCVIQIJ\SUAVTZKNFL.png

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	DOS executable (COM, 0x8C-variant)
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.981862314842239
Encrypted:	false
SSDEEP:
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	low
Preview:	..g...rx.....l=jd....s1....%....2....=..yu...:....3&v....nY..@(.....g.......H.z'k.!P...\....<.i.......%W..y&..O.}8.T.W^........~.@*.....GJ.Z+....G.V...R,</.\..W..6k..9.={.&....x..T..3P...I.U..;..z...Nu..w...d.G..wp\W..pJ.....K;()..<...".A.R.3...d..-...Q...9...[Ss...z....Lx.....N.C.....-..7..1. W...]0?]....$.....^8...`yp.b..R.~..V.z....7...[.z.~.'S..I........'..d9Y..U...QN....J!......)...:Y.c.....'.y..B..O..Fc....vO.....y.-t.;..Kr-4&ky....\G.j...0.E........u%...+..I.O..(......P.....LcI.. : ~...0.....>K......\|..(.N...f..s.q...6..N)z.}.9YdQ....s..l....z..T`....-...n...,.;`kc:.~.H...Q.x/F,..K.T......9.v.&u.l ..{3.....+E..=.q..t..}.=Fl..{.q.h....I...wt..'........3w/...}..f\|.<T.e{.G.'&%..@.[..Z....?...f.x.d...Y....@6..A...1.I..Lwm.U...V...X...XzQ.h...b2.u../.d..?.5.P....8.b..sx..F.y...}.Q4.....Ev.4..yr.......{A[.M.1.\.g..{.#..B..q.VI.B.......\.-...V..A.RM'.._.v. ..i...D'..2{.....#..b...g.RbPHb..b...6..O...t..-...b#T..R35pYY...6jb.e..f.E...=.-..n.

C:\Users\abbas\Desktop\GAOBCVIQIJ\SUAVTZKNFL.png.bbdabdeEdE (copy)

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	DOS executable (COM, 0x8C-variant)
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.981862314842239
Encrypted:	false
SSDEEP:
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	low
Preview:	..g...rx.....l=jd....s1....%....2....=..yu...:....3&v....nY..@(.....g.......H.z'k.!P...\....<.i.......%W..y&..O.}8.T.W^........~.@*.....GJ.Z+....G.V...R,</.\..W..6k..9.={.&....x..T..3P...I.U..;..z...Nu..w...d.G..wp\W..pJ.....K;()..<...".A.R.3...d..-...Q...9...[Ss...z....Lx.....N.C.....-..7..1. W...]0?]....$.....^8...`yp.b..R.~..V.z....7...[.z.~.'S..I........'..d9Y..U...QN....J!......)...:Y.c.....'.y..B..O..Fc....vO.....y.-t.;..Kr-4&ky....\G.j...0.E........u%...+..I.O..(......P.....LcI.. : ~...0.....>K......\|..(.N...f..s.q...6..N)z.}.9YdQ....s..l....z..T`....-...n...,.;`kc:.~.H...Q.x/F,..K.T......9.v.&u.l ..{3.....+E..=.q..t..}.=Fl..{.q.h....I...wt..'........3w/...}..f\|.<T.e{.G.'&%..@.[..Z....?...f.x.d...Y....@6..A...1.I..Lwm.U...V...X...XzQ.h...b2.u../.d..?.5.P....8.b..sx..F.y...}.Q4.....Ev.4..yr.......{A[.M.1.\.g..{.#..B..q.VI.B.......\.-...V..A.RM'.._.v. ..i...D'..2{.....#..b...g.RbPHb..b...6..O...t..-...b#T..R35pYY...6jb.e..f.E...=.-..n.

C:\Users\abbas\Desktop\GRXZDKKVDB.jpg

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978201573871916
Encrypted:	false
SSDEEP:
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	low
Preview:	.....Wj&Q....c.s...p....~%..i.....K..U......^O...v...x..P.'....3....e......../.r.Ot...........4.....j...2...9P.GJ_.t..... };....= ..._.c....... .......O...rQ@h...5K...u.<..I......\.1..?.NZr.........X.k...q..j\.r...O%.. T."......N...W.`E.n.{4.OQ..S..n..JF.....f.Y1m.a..>n..u^.....n..+b.....(.MKw...[W.&....5`.X.-.T.6..V..gg..@..B......nW.{+...,."......".D.r...V..~X..1..+s"..V5.8...H.G.2ap.W.7u..>...;.....U..<....E..!.U..3g.....". ..#Z.c.[..!..^.FD...I.....o...F..WN..M>........._>q6...u......."~....<.).r.:.9.2W.....B..V>c....X.m}."z.......c....W..D3.%.u.M......!'m}.<.....TQt9.T...v ..R.j}....R.........i$W...5.u<.p..~.Zx.I..q....Z.1gKZSE.E.+.z.C.U......s.....u.f....V....3..RyR...[.....F"....Y.m#!n ..q5R...`.....`!I.e.0pc8..u......^........0-...S..}...?..1........E@...M...R..A..k..O.k..0f&..Mu.......B.....z.9.N...YR..{.0G........Pc...;9.$'.Q.....>.6...a..N.#O(]..IUN...s........Pq4..pC..C.J\...#.....~n...7c....1Fj......%.=..^..#....Nr......:.R

C:\Users\abbas\Desktop\GRXZDKKVDB.jpg.bbdabdeEdE (copy)

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978201573871916
Encrypted:	false
SSDEEP:
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	low
Preview:	.....Wj&Q....c.s...p....~%..i.....K..U......^O...v...x..P.'....3....e......../.r.Ot...........4.....j...2...9P.GJ_.t..... };....= ..._.c....... .......O...rQ@h...5K...u.<..I......\.1..?.NZr.........X.k...q..j\.r...O%.. T."......N...W.`E.n.{4.OQ..S..n..JF.....f.Y1m.a..>n..u^.....n..+b.....(.MKw...[W.&....5`.X.-.T.6..V..gg..@..B......nW.{+...,."......".D.r...V..~X..1..+s"..V5.8...H.G.2ap.W.7u..>...;.....U..<....E..!.U..3g.....". ..#Z.c.[..!..^.FD...I.....o...F..WN..M>........._>q6...u......."~....<.).r.:.9.2W.....B..V>c....X.m}."z.......c....W..D3.%.u.M......!'m}.<.....TQt9.T...v ..R.j}....R.........i$W...5.u<.p..~.Zx.I..q....Z.1gKZSE.E.+.z.C.U......s.....u.f....V....3..RyR...[.....F"....Y.m#!n ..q5R...`.....`!I.e.0pc8..u......^........0-...S..}...?..1........E@...M...R..A..k..O.k..0f&..Mu.......B.....z.9.N...YR..{.0G........Pc...;9.$'.Q.....>.6...a..N.#O(]..IUN...s........Pq4..pC..C.J\...#.....~n...7c....1Fj......%.=..^..#....Nr......:.R

C:\Users\abbas\Desktop\GRXZDKKVDB.mp3

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.980221378895594
Encrypted:	false
SSDEEP:
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	low
Preview:	.+I...:..R..0.H]6x..... .U....t.S.KU.a1.p...lH.M$.Q.......(qS...IHR.E....4.JU.....t+C.eQ.! 0.....$F<n..,."rI.1.......k.V......>.......`.. ....nB.N..).w..n.M.K.6n..?{....}Y"...n...f.(.d...\|..i...%....w...i........0........O.hjX..\|.#.....xC.9..i..}...Y.D.......h...oG....G[........}.v......03.P..z=[,.z.............X.HF..`Q.:.o{.mPY.....).....N....=..eZfx.....uNn..FZ-j..)''!.M.K....=n.n.......Z..g..w..&M.8/k.Su.5........v...4...R....V..../.;.$...)...w..r.d7hf.......`d..H.(.......j...T.....,.q+R=.f..P.2.V....._. ..w.k;s.\|aX....).<w..........1...7....[.p..k.5..e..<....{..]..5tr3..a...@..T}.5)\...N....X...T..P.....g.q.XE.....<.....e\:VpQ....vgM.v..0\|.)..C......',... l.....%....)...N..o./@......@3.)._......K<.....Zp...?..6p........./.x.s...x...V.`Z.,<.F?.b.#..LJP.w4).....;.Y...x...`..C...1.UaV...,C.Ds...SJJ...^.KH.t...3\...W=.....m..G.......(...W....i.<.`,.x.....Y..]...X...V..pF..L.....`..^....+...J..~..o.Mi..w?.Q.=....=..$K

C:\Users\abbas\Desktop\GRXZDKKVDB.mp3.bbdabdeEdE (copy)

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.980221378895594
Encrypted:	false
SSDEEP:
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	low
Preview:	.+I...:..R..0.H]6x..... .U....t.S.KU.a1.p...lH.M$.Q.......(qS...IHR.E....4.JU.....t+C.eQ.! 0.....$F<n..,."rI.1.......k.V......>.......`.. ....nB.N..).w..n.M.K.6n..?{....}Y"...n...f.(.d...\|..i...%....w...i........0........O.hjX..\|.#.....xC.9..i..}...Y.D.......h...oG....G[........}.v......03.P..z=[,.z.............X.HF..`Q.:.o{.mPY.....).....N....=..eZfx.....uNn..FZ-j..)''!.M.K....=n.n.......Z..g..w..&M.8/k.Su.5........v...4...R....V..../.;.$...)...w..r.d7hf.......`d..H.(.......j...T.....,.q+R=.f..P.2.V....._. ..w.k;s.\|aX....).<w..........1...7....[.p..k.5..e..<....{..]..5tr3..a...@..T}.5)\...N....X...T..P.....g.q.XE.....<.....e\:VpQ....vgM.v..0\|.)..C......',... l.....%....)...N..o./@......@3.)._......K<.....Zp...?..6p........./.x.s...x...V.`Z.,<.F?.b.#..LJP.w4).....;.Y...x...`..C...1.UaV...,C.Ds...SJJ...^.KH.t...3\...W=.....m..G.......(...W....i.<.`,.x.....Y..]...X...V..pF..L.....`..^....+...J..~..o.Mi..w?.Q.=....=..$K

C:\Users\abbas\Desktop\GVYSd_readme_.txt

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	ASCII text, with very long lines, with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	3767
Entropy (8bit):	5.732856634724589
Encrypted:	false
SSDEEP:
MD5:	7F667C5043C13EF8C7FE84FB09E8BD40
SHA1:	BDC0DA66FDA4BFFE3A79542B71C437A5A13B737D
SHA-256:	F266487A7EACF5C42C2AEA38F2B1A917189E77FBD1622441E146B13004861FCE
SHA-512:	A48217B52D9F39E1DE225C008B26D68306B4FBFC8B226A764F22311E46315F1CEFD81D52360EEF299DBAD46025AB50A5EF707664988B906DFF9912CF71FC3870
Malicious:	false
Reputation:	low
Preview:	-------=== Your network has been infected! ===-------.........*************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************.........All your documents, photos, databases and other important files have been encrypted and have the extension: .bbdabdeEdE......You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!......The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!......We have also downloaded a lot of private data from your network....If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.......You can get more information on our page, which is located in a Tor hidden network..........How to get to our page...----------------------------------------------------------------------------

C:\Users\abbas\Desktop\NVWZAPQSQL.png

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	data
Category:	modified
Size (bytes):	8728
Entropy (8bit):	7.9797690361834475
Encrypted:	false
SSDEEP:
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	low
Preview:	....o;.O..-z.t5..l.......\..h..8.L..).....[......2.y.#d?.^.;V....$.#....m....X..R8N..\...7.G.I..H..=W%3.s.....c.#...Vt.....M.^2..K.#.....5B8!.C..Z.....>......rF.....I....0uH..4......>hzr.....dG.J..`....H.....6.s...t^.Fy.G...c.G.:.w /.."6..a!AC......%."..[..Iu<D;...[SKx....>....\.......of#...\k....pX.......C..S.ru/6....P....cj...U&..>...d.F..U..-<jA..nR=.....Lfx!...~....{D\|..M...%........._..P.....Mj6.l.;\_.J.w2.^..s/.C...m..5.I^.eZ...K.<..Q4.........%+N0\|...I!...........+T..$.L...J%.u.&.@m...z=.T.#....j..GUM..fFL3.~...(.. .\|s.<0....9....5>..x.p.......*..1G.E..5.k...T8..4.q3..M.........\.l..%....} ..#...\.H..o.9.[....o....D.A4b....M.{...)@..e...B...T.Y`m..F..........P.1.$".X..8.8.%\|...#.@P7k`...;.c......%..-..RS.=.@..I....q..K9./....g.-.y;..s..A..(......yW.a..8..v...'..^.>.6Q.......$.b..u......}.%3..J4Q1.S.M.\.Qj.....7..M8:][.1.T1.O...1<..Few_......u.....b..T....U3..r..O........-.......\//.=.%........o:R...l..`...p...+.:Y.F..

C:\Users\abbas\Desktop\PIVFAGEAAV.mp3

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.977753367936546
Encrypted:	false
SSDEEP:
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	low
Preview:	..Y...R..S...V,-..\...c.1.....{.......A......2`...a#.5.,..+.I.....{.!..................2.X......a...KZ.l...p..W".R....b%.;~~...K..`..`-...M..._Cw..A.?n..6.Lb...+...........)a..a5..@r.HQ....`H..By./.b...@eD...OW....e...1....Af..?OY.....AO..D.z..G....%...`..Y..:...YVC.w.3..Y"..E...........86.V..;F...Wp\|.!1....g..(.d.P.k.+.S.,..2...,=....w....k..+F.WJ.`..u.U.....E..s...........iB.R]..............q..k.>...y%.K.t..7....P....5...D..H...I].xM...'......v...1..v......D..Ro..V.3....\.F........4>..n...oex.r.N.b...jl.-.......M...9O.S...............T..._u... ...T.9}}q..7..m2.A.Q2.#.....0zF.S..#R.E.I..L....).fm.!.a..A..7$.s[u...A4.>.E.^.~.idCh\y..5,.m.`............._x".r.. .....;.d...R.x.;...(...P.d. DMd%y..M...m_R0;q.....y6].X...yZ..fP..J.j.A....,....Ud;..F5...&..W.E..e..2.7..l.xT.\....J#.._._}...6][3.[q..<r..X......1.:9..CJh...VK......!d..\i...r:..k8..5.c.........:....~...y....o..c..L.W..6..F..u.1..(..6..2.A'.>...d;$..jA.).G.F......KY...E....}qU8.3.M.V6

C:\Users\abbas\Desktop\PIVFAGEAAV.pdf

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.9777735966039245
Encrypted:	false
SSDEEP:
MD5:	584B68D58631074B26271D2FA9A7BB87
SHA1:	0CA017E39916E1EF715D25B1CAE7AA23C8179FEF
SHA-256:	93233651DA71AD48F3036723EAD37FADD01E514A52ABC2BBC12AA5A0F8D9B316
SHA-512:	9E43E91065564181BBA5237677322B04B0ACE80A85D03223DA4A527BFDA121CE496FBF01662B1A184569A6E2CC6DA93DCBB5C4926CAFEC37293B997E8B9BBCCF
Malicious:	false
Reputation:	low
Preview:	..&GU.....(...oF;g/...X.?...C.sa..@2......I4.N.9.y.b.3.z.3..E.N.......5V.l6O.\.@((..8q......2......9d........`UD.L...........<.z.[x$dI.~5.8y...E@\..:..$..H...h.C....u....3/.W.mm......xC...?~iK........crI.`..m.9..../.z(.V..G.@..%z.._..\|.SO.].....8.....O......kaZx..B.w.d.........>..............i..4......}.E..._f.$t{...Ial.B6.F.2.u...u..........\.[.c6................f..b\|z.s......W..Lh.R..92....K....4U.#.......ri.>T..BJ.L..Z......r!I.+.q...,7._p\m...+j?.^J...k52d..[...R...PF.. xa....Q.7.}..?!.\|~.(.w1:Di.2%VR..na.R,..2.%\|b.T........Q!?..Z.W.\|6.7....`+.....xf{..?..l.8..:]._...0..4...mK.d.z.s...h.EKF0...p..3S..=..#.7)bQ.L..Z2.A}..1J....#..qLw.s..V,r....>.Z._...(H...<...j...U,...B..c.......B...W..v:.T~.u.2q9pK{e}..y..lP.`FS..:.6.l8.}cF8u.S..>....f...Y.......p......>!.Z.s.?.U.....2....38.5...n..v.c.6^.......*...^.....d.s...y...../.....\..:.W.....X7n...n...0.$...m.A@..At..4#j..GR.0E.Q...{....M@......:l;..a^....`.......,.z.C?b{e.H.x.Y.u).n.A&.^..

C:\Users\abbas\Desktop\PIVFAGEAAV.pdf.bbdabdeEdE (copy)

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.9777735966039245
Encrypted:	false
SSDEEP:
MD5:	584B68D58631074B26271D2FA9A7BB87
SHA1:	0CA017E39916E1EF715D25B1CAE7AA23C8179FEF
SHA-256:	93233651DA71AD48F3036723EAD37FADD01E514A52ABC2BBC12AA5A0F8D9B316
SHA-512:	9E43E91065564181BBA5237677322B04B0ACE80A85D03223DA4A527BFDA121CE496FBF01662B1A184569A6E2CC6DA93DCBB5C4926CAFEC37293B997E8B9BBCCF
Malicious:	false
Reputation:	low
Preview:	..&GU.....(...oF;g/...X.?...C.sa..@2......I4.N.9.y.b.3.z.3..E.N.......5V.l6O.\.@((..8q......2......9d........`UD.L...........<.z.[x$dI.~5.8y...E@\..:..$..H...h.C....u....3/.W.mm......xC...?~iK........crI.`..m.9..../.z(.V..G.@..%z.._..\|.SO.].....8.....O......kaZx..B.w.d.........>..............i..4......}.E..._f.$t{...Ial.B6.F.2.u...u..........\.[.c6................f..b\|z.s......W..Lh.R..92....K....4U.#.......ri.>T..BJ.L..Z......r!I.+.q...,7._p\m...+j?.^J...k52d..[...R...PF.. xa....Q.7.}..?!.\|~.(.w1:Di.2%VR..na.R,..2.%\|b.T........Q!?..Z.W.\|6.7....`+.....xf{..?..l.8..:]._...0..4...mK.d.z.s...h.EKF0...p..3S..=..#.7)bQ.L..Z2.A}..1J....#..qLw.s..V,r....>.Z._...(H...<...j...U,...B..c.......B...W..v:.T~.u.2q9pK{e}..y..lP.`FS..:.6.l8.}cF8u.S..>....f...Y.......p......>!.Z.s.?.U.....2....38.5...n..v.c.6^.......*...^.....d.s...y...../.....\..:.W.....X7n...n...0.$...m.A@..At..4#j..GR.0E.Q...{....M@......:l;..a^....`.......,.z.C?b{e.H.x.Y.u).n.A&.^..

C:\Users\abbas\Desktop\PIVFAGEAAV.xlsx

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.982132068377269
Encrypted:	false
SSDEEP:
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	low
Preview:	.;9`..X2ct.$d.5.F....I..]#q>...L........J...E.v..Tu")MUqJ.......s~.H..#..I.@3..{.......+(..o)..&.l.N.C.P>.....n.(B......2...........+4lZ...H...!........b.o.....n..E..T[...w?.4s ....R.....0?.A..cm.fD=..I.uC7...Q.X]x.z...^.....ik.;nR....RU..@.2....L5..Z..R......X.`..MT<yS..g.;..1i.h?...........{.V>.).X.\|U(Tb...i.2@..-5..e....}....x]V....SF.....P-.:.=]...xgD.(U.1...S....}y..J=..\.HXv...'`1..;.M5....jA.....v......r...5....<.:g......i........\....7.....B`.T..i.Df.in..U).0...C$a.^.$..)S'...v.b..]B.x.`..<...r..".............= .1]&.......Z<5.C}Ev.......K......hc.y.m.N....+..0.r..\.kM.p..^..5\4.Xb...I...G...T..Z_..d%~X}9z.(NH.....2F...0E'b......7}.V..`.z.Y.el.e.v.k......x..S...DD..f.o..)...$.....zo.{q.....3.o:..4.C.?...uDm..6..0..1.<..s.{......Q._^...r.6...gpJ\.<.....$^.../.1.Wh..'..q^.O_.:OZ..+.........&.6.e.4...>e...#N.(Q.....&..-...r.N....U....6a.(g.1.3..:..!T....{!Q...A...6.Y.O#.'.>#.......BI.4..l;..../..vL......]>+.b...zYhD..8t....I

C:\Users\abbas\Desktop\PWCCAWLGRE.jpg

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.976969885908933
Encrypted:	false
SSDEEP:
MD5:	E58047559B3792896E40170B9826E448
SHA1:	5E40A596CA91175124F7F6EA3D2C2F82286E0AF1
SHA-256:	C918FA01AB90075B913A8268A6A1B779A74218C3D04E4B3D1901EBE367ECB30E
SHA-512:	D9925B4C3D32F0045143F9C932D347ABDBA57768DB5CB337EFD370F58494A2636A60D203FB192888A0881A3958DE1B56C49F7CCC23D472449E262A8B46550E5D
Malicious:	false
Reputation:	low
Preview:	..u.u.^...X.P.........J.H.!o....Hb....e5..".4=..4.. U..(..w.G..d.hk..8a3...}..[.E!M.....v"#..7.c....n..6K...{..o!...#.f...`...]I.@...%#.e..#.........._..._y...vlEWI..]...5..V".....=...........N?R.$...K[_s._C\...[J....;-..5yG..Q..CM.........O=ekj.K....Ec.N..j...._..s..6W.....gQh."..A..>]C..!...l$...&d...!..dz.2c\...6.9.........)d.w..7..&k.I4)......{.kg.....@........A...7..P!...._...d(.>F0..kc.#.b5&..R.2..N.I4.ARtfE.6([.....d.A.R..'.....7G......z^...Qc...L..J......^..}.. ............J...0.>N.<f...#/.....~.BsLv....S...F..0. .....>..e...M......Z.!s..f-u...a.`.x.M..=AA...^W.tq...].U.....=...u....r...b.Uo....Z2M..n.iL...Lr4..C..-...Yqb)In..\|Xk.h]..BI.n.....V8..g..X...2H...9....S..&z.cs.L..M.Ol.H...p..b_ ..DK=.Bj.f.z....`.;.......H[..}......u<K{......CJ...(xE.`.L.8..P.C\|...".'.m....s.....LK].C.^f........ ...1.......0<.z.;.3Usu.."YY.V..K.t.ls....u.`nD.......W.I2R.j.yI.aa.3u.P..n..RJ6.a..#...'$..&...1.HH.X..m./.._........,L

C:\Users\abbas\Desktop\PWCCAWLGRE.jpg.bbdabdeEdE (copy)

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.976969885908933
Encrypted:	false
SSDEEP:
MD5:	E58047559B3792896E40170B9826E448
SHA1:	5E40A596CA91175124F7F6EA3D2C2F82286E0AF1
SHA-256:	C918FA01AB90075B913A8268A6A1B779A74218C3D04E4B3D1901EBE367ECB30E
SHA-512:	D9925B4C3D32F0045143F9C932D347ABDBA57768DB5CB337EFD370F58494A2636A60D203FB192888A0881A3958DE1B56C49F7CCC23D472449E262A8B46550E5D
Malicious:	false
Reputation:	low
Preview:	..u.u.^...X.P.........J.H.!o....Hb....e5..".4=..4.. U..(..w.G..d.hk..8a3...}..[.E!M.....v"#..7.c....n..6K...{..o!...#.f...`...]I.@...%#.e..#.........._..._y...vlEWI..]...5..V".....=...........N?R.$...K[_s._C\...[J....;-..5yG..Q..CM.........O=ekj.K....Ec.N..j...._..s..6W.....gQh."..A..>]C..!...l$...&d...!..dz.2c\...6.9.........)d.w..7..&k.I4)......{.kg.....@........A...7..P!...._...d(.>F0..kc.#.b5&..R.2..N.I4.ARtfE.6([.....d.A.R..'.....7G......z^...Qc...L..J......^..}.. ............J...0.>N.<f...#/.....~.BsLv....S...F..0. .....>..e...M......Z.!s..f-u...a.`.x.M..=AA...^W.tq...].U.....=...u....r...b.Uo....Z2M..n.iL...Lr4..C..-...Yqb)In..\|Xk.h]..BI.n.....V8..g..X...2H...9....S..&z.cs.L..M.Ol.H...p..b_ ..DK=.Bj.f.z....`.;.......H[..}......u<K{......CJ...(xE.`.L.8..P.C\|...".'.m....s.....LK].C.^f........ ...1.......0<.z.;.3Usu.."YY.V..K.t.ls....u.`nD.......W.I2R.j.yI.aa.3u.P..n..RJ6.a..#...'$..&...1.HH.X..m./.._........,L

C:\Users\abbas\Desktop\PWCCAWLGRE.xlsx

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.979260137384466
Encrypted:	false
SSDEEP:
MD5:	6D855CB97419357298E41616D514E6A4
SHA1:	F9C80B30456970C30C85F165432B7D9330DB58D1
SHA-256:	81804E4489EE9FC59B7AB167599821013042DE03FD72A35AA9D4DA37362997B6
SHA-512:	53532479600F770853E5E1C22C78310BD943A7CAD7B10266E2B407B2EAFA8E2143BDAE75BC36E96DC877149A8787EC07A1D8312B14C222E09D636D6E6C660002
Malicious:	false
Reputation:	low
Preview:	N.zCC.c._5.;X)K..\|...[Y..J.>.4.uk..$.l. ..I(..+/..I.....3s...O%Z....K.....M.5W!=Gi..:.D.bAz-.\|.%~.?...m..{.p.s...}f...k.F)O.V.._...r.\&....I.......wLT."..n.~...%...x.m....frh..j.Y.E...5[_..D....3..pX^.m..a$ni......n:..^....O.r.".f.-..!.!.#.~.w6...4.7.L&G9~k^O.u..I.u<.....W..1....w........f..........0e=.dT\^<)).z..................7.=./..tN+.......k)!.........,..../....6...g7......2..X~....O.....$b.t....Wp.}.@D._~..O..UQ......x.6...3o%Ud..t...n.ZVwK.gfc..f\.]....sI4P+.J.G0.M. .O./....3A..z.r..I..j>C.{x...._O..bC....'.b....h<...0.U..R...w.MT.#..{.m+...S..XR...N.z.......S..$?..M... 5" ,.>....k..:..?.<.2.....0..!nG.]y.B.5.\|>2&.S.L.a.7D......qE.....e_.......$u<...{(2K..Z.B..r.#.......058....#..X...".8./.PV...L.a..p.VD.S..{tDa....E.r.,.....O+(I.`...L.U.S..U.n.4z9;..)BO... MA.@.p.G...+....}X..Y.....l..W.].y.lYg.....JV.....g...:K...^B.,..5 ..%^..y... V..^.bh.....6....#...M..........Q....b.H...\S..in...N..d..]@C.?9X.6A.K..gWCAkk...uo.\0.............

C:\Users\abbas\Desktop\PWCCAWLGRE.xlsx.bbdabdeEdE (copy)

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.979260137384466
Encrypted:	false
SSDEEP:
MD5:	6D855CB97419357298E41616D514E6A4
SHA1:	F9C80B30456970C30C85F165432B7D9330DB58D1
SHA-256:	81804E4489EE9FC59B7AB167599821013042DE03FD72A35AA9D4DA37362997B6
SHA-512:	53532479600F770853E5E1C22C78310BD943A7CAD7B10266E2B407B2EAFA8E2143BDAE75BC36E96DC877149A8787EC07A1D8312B14C222E09D636D6E6C660002
Malicious:	false
Reputation:	low
Preview:	N.zCC.c._5.;X)K..\|...[Y..J.>.4.uk..$.l. ..I(..+/..I.....3s...O%Z....K.....M.5W!=Gi..:.D.bAz-.\|.%~.?...m..{.p.s...}f...k.F)O.V.._...r.\&....I.......wLT."..n.~...%...x.m....frh..j.Y.E...5[_..D....3..pX^.m..a$ni......n:..^....O.r.".f.-..!.!.#.~.w6...4.7.L&G9~k^O.u..I.u<.....W..1....w........f..........0e=.dT\^<)).z..................7.=./..tN+.......k)!.........,..../....6...g7......2..X~....O.....$b.t....Wp.}.@D._~..O..UQ......x.6...3o%Ud..t...n.ZVwK.gfc..f\.]....sI4P+.J.G0.M. .O./....3A..z.r..I..j>C.{x...._O..bC....'.b....h<...0.U..R...w.MT.#..{.m+...S..XR...N.z.......S..$?..M... 5" ,.>....k..:..?.<.2.....0..!nG.]y.B.5.\|>2&.S.L.a.7D......qE.....e_.......$u<...{(2K..Z.B..r.#.......058....#..X...".8./.PV...L.a..p.VD.S..{tDa....E.r.,.....O+(I.`...L.U.S..U.n.4z9;..)BO... MA.@.p.G...+....}X..Y.....l..W.].y.lYg.....JV.....g...:K...^B.,..5 ..%^..y... V..^.bh.....6....#...M..........Q....b.H...\S..in...N..d..]@C.?9X.6A.K..gWCAkk...uo.\0.............

C:\Users\abbas\Desktop\QCFWYSKMHA\DUUDTUBZFW.png

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978098351617084
Encrypted:	false
SSDEEP:
MD5:	3067AA92E9C18C2F3E06812E35033B5D
SHA1:	CACA2F7672F085A029A56DE69FC9AC437499A59F
SHA-256:	F8313D0270E1ED45174454400524778515FA61C694B04E521EF87E902850CC0A
SHA-512:	1B82100530049EDB68A1A390F70E84C1B3DD20343F191C74C881CC825153CEEDCAB3F7D19E1DE07BB8750AF264AD7B24EFF2780CB1544ABB03407B3DAA284A1E
Malicious:	false
Reputation:	low
Preview:	.C..De.v....~.$.....g.iM...Q?.}.'......<...a.RY0...0.m.7.p.:..)\r...!....^....j...=@B.....N........HH.....:/$J....U.8lG.. QDZ....n.N`..o..sy...,D...0.FJj..n(...4.r.V!~....5K..M.../:..(lt...1.`..-.X.4l..v.r...t.T...>.@.:.........U...."....$.............q.I0.oY...].>.E....n.F..R.^6.5....p....l.+..o.....p{o.R.t..">...T.#.._.hf.(......T.O..`..x.":. Tt...../Dg'.V.....I.^gz-....U;...OMw,....I.....?'.(..tI.y...s.]a...'.0......a.BG4..(Eu....Z'.+[...V..?........z..:s`i.I.....]_s.......MGL...w...u.G+m..8.....~.N/B{z./.L....N.\.......[....*.,..s...{g`...P.......v...k..o\..7....!w~#.o..O..V@.b.Y.(.}T[V...J.!bA.%..T.i'.2O%.._f......g...0u.py..Ae.`...../....../.u....M.....P.1.t...%...e'KE.A.]8.u}j....n.3U9V'...P..W..8^........[a..{/.....H".r......s.....T...s..].G...w..3T.&.Jr...7jZ./x.\|...F..h..Vo...@..Nx...=c7me.{-]8.+.....;.m..b..f."...1#...W...~.Z....a....(.......hl........%.=.W.)..u.0..f..~.X.(."......%.k.$..m).;;..C;..qH.R.%.J.8.......Xf.

C:\Users\abbas\Desktop\QCFWYSKMHA\DUUDTUBZFW.png.bbdabdeEdE (copy)

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978098351617084
Encrypted:	false
SSDEEP:
MD5:	3067AA92E9C18C2F3E06812E35033B5D
SHA1:	CACA2F7672F085A029A56DE69FC9AC437499A59F
SHA-256:	F8313D0270E1ED45174454400524778515FA61C694B04E521EF87E902850CC0A
SHA-512:	1B82100530049EDB68A1A390F70E84C1B3DD20343F191C74C881CC825153CEEDCAB3F7D19E1DE07BB8750AF264AD7B24EFF2780CB1544ABB03407B3DAA284A1E
Malicious:	false
Reputation:	low
Preview:	.C..De.v....~.$.....g.iM...Q?.}.'......<...a.RY0...0.m.7.p.:..)\r...!....^....j...=@B.....N........HH.....:/$J....U.8lG.. QDZ....n.N`..o..sy...,D...0.FJj..n(...4.r.V!~....5K..M.../:..(lt...1.`..-.X.4l..v.r...t.T...>.@.:.........U...."....$.............q.I0.oY...].>.E....n.F..R.^6.5....p....l.+..o.....p{o.R.t..">...T.#.._.hf.(......T.O..`..x.":. Tt...../Dg'.V.....I.^gz-....U;...OMw,....I.....?'.(..tI.y...s.]a...'.0......a.BG4..(Eu....Z'.+[...V..?........z..:s`i.I.....]_s.......MGL...w...u.G+m..8.....~.N/B{z./.L....N.\.......[....*.,..s...{g`...P.......v...k..o\..7....!w~#.o..O..V@.b.Y.(.}T[V...J.!bA.%..T.i'.2O%.._f......g...0u.py..Ae.`...../....../.u....M.....P.1.t...%...e'KE.A.]8.u}j....n.3U9V'...P..W..8^........[a..{/.....H".r......s.....T...s..].G...w..3T.&.Jr...7jZ./x.\|...F..h..Vo...@..Nx...=c7me.{-]8.+.....;.m..b..f."...1#...W...~.Z....a....(.......hl........%.=.W.)..u.0..f..~.X.(."......%.k.$..m).;;..C;..qH.R.%.J.8.......Xf.

C:\Users\abbas\Desktop\QCFWYSKMHA\EEGWXUHVUG.pdf

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.976639186102637
Encrypted:	false
SSDEEP:
MD5:	DAC15735F286C42A4875524C07711542
SHA1:	06B3B80A67A8371153C3929729369B80417235DE
SHA-256:	11205EE1F88ABBAF94056A90F0236D3EBAABE165F9CB1867E191547FFF04B133
SHA-512:	4B999E449BA43834C3E91A91E4AC05CCC397A813364BA41AA74E12D02D35A40FF4CEC04F7069DD4479BC5732C3C09BA5026D1A616141346B4BA439A142850D96
Malicious:	false
Reputation:	low
Preview:	.0..a.8.K._.i..Z....U4...cY..t...s.4.1j#.^...=e....6....T.KS.^.W.....da........$.C.x...IrZ:...{..0...a...,}n..B.Epr.pi...!...X]e.t...1.w.-."%..%..!/.".........#.....h......j..........Z..s....Rma8... ..)j.{C4n.H<.... 0.......\|.X.t.E.zE....F...d.._..rW1c.SV,...I>.]D..#nc...........v.......M.2s....b..rM.F...C+.......RA..)SU..t...j5..C....<...l..>...j..OM..n..'<...R...'$.O(.J..b..H.0>>._6.Dv4..L.QqH.Q..3E.7j..R.D.p.....R..6.A..}..3t....F....i^.`6.,<.t]../.......K.Ho..g.Xb.\|....i......fJ+i.J.....s..^<i0.SJ.A.T....{.....`!...GA..5.}k,&\..qz...R..$>^.........Gkn.....}o.....;B/t..h..d..iQ..z.4.....`.Ux.^W.....@.Q,.6.-.d.W...s.5..~..S.......o.....\|.`e.T...%?L44.A.t{.6..L.6..@_}?M...A.....~W.e.Y0...N.....W.a...5S@J!....>.....[..:.K...........E.Q6....?j..-......%.;......... .m .w.....(C8......vY....Y..N..'.a..*.K`.._...!."..k....-.\|..'&u..pg]...y.y..bR#......4;wN..k)...@..$.=..k..#........+..D......M.......J.c.x.j.,E.{W\....J.......

C:\Users\abbas\Desktop\QCFWYSKMHA\GVYSd_readme_.txt

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	ASCII text, with very long lines, with CRLF, CR, LF line terminators
Category:	modified
Size (bytes):	3774
Entropy (8bit):	5.7325519148058985
Encrypted:	false
SSDEEP:
MD5:	E3EF42CBB4B0EC5B95EDBE0E7AC1BFE8
SHA1:	48454D9025C48E132330C57516146FC318083A12
SHA-256:	921F96A5FF2E014807A2B4D7A6FA17D3E12268873131FD8D3BCAE9A44E728C49
SHA-512:	BD2CD2B42A7DEC0FEBDCE3FD9BE004A6FA363DD668227DA190930D67F173D98415F4D738453CAFC45324F42AA94706BD8304E696C8891023745E52105B5AC075
Malicious:	false
Reputation:	low
Preview:	-------=== Your network has been infected! ===-------.........*************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************.........All your documents, photos, databases and other important files have been encrypted and have the extension: .bbdabdeEdE......You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!......The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!......We have also downloaded a lot of private data from your network....If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.......You can get more information on our page, which is located in a Tor hidden network..........How to get to our page...----------------------------------------------------------------------------

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\wbem\WMIC.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	48
Entropy (8bit):	4.305255793112395
Encrypted:	false
SSDEEP:
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	low
Preview:	ERROR:...Description = Initialization failure...

\Device\Mup\DC-01\public\employees.xlsx

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	16920
Entropy (8bit):	7.989725459788761
Encrypted:	false
SSDEEP:
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	low
Preview:	.-`P.%.........b....f.>/H.=R..V\|~I.\.xp_Cq...=.7kb.......K.Z.v.;.T\.n..s.....f...-...t5..lv...{`.[.$X.f...Y.......o[}.U.]'.BC..t.7..R.9....5...E'....K.i9hr^...U..9P..;3...........8....B%...b.#.pf....y.^...&..P._.1...rc.(.->.`M..nBVE;..A.."../.h....!/..iH..0ND3....A3.......(.&)s.8.'...oV....... 6.a...K[4...W.?..h.v...'...v.....U..@.G.e.HP3.v.......5'G..='.H.gn.Wj.:I.........#.Ie.Jv..U..g%)A......z...<...F.4.wd....f%...d../p....([...g..s@..^.....sI..#..Gkc3:.....9......y.,<A.....3.....Z.ZA'..)H...Q.=&BEj.._uhs^..J...fK.w.I...[3.4ixzJ.*..QJ..".....Z.....x..)f.q. .34.t...C'....M.J\|..................;7..sx..0#d.$.\|....{...1j.C&q./r.q#....C%..e.#.l.;9X.)h$....#y.!...........#..,.~...j..L.;.].A.C...q...rp..Z5.....TP.!....Y...3.UyZ.oh.Q...@]..[...f..w........&.xX0]0\|P......!.n.....>........6ao...MU+[.Dp.....t..B.0...:.....R"...6Dl._.E^f..t..nPI..6.q...{....%....fA.F.}\|P...._}.....Q..0.c...,..@wIN...t..r.:.+\|..Z...+.=..z.........l..@....I.zPc.....C.X.P@

\Device\Mup\DC-01\public\invoice.pdf

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.979125071058783
Encrypted:	false
SSDEEP:
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	low
Preview:	W.}.=....>\|.FaN...>uz........8T..Hxn..K!.r.....3.q..^....\|...(.ud.V.A...w.....~I%...+.R...8.`.I..F'......[@.%..\|o:WR.<&... 6z?..L.....!.y.<......pr..i;p...a..>..x.....v(l.....r.}..^l~..Kp9H...Z.cxz.<.N..d[.G.......:w.Tc..Q...PVn"..JR;b...>.]...`...8....L[$.f%...S1f.g.5.2.....F.W.(......Qd.H.>L...<......e.F.+.{..m...W .......cF.>.F.....w......._.$.t.i......[.-.iZ...rF.D.\V....4z.Llh.UF'Z0......;...2.D..3....".Am.$.t.....h}.....-P.-I.].).........n....Z..I.d^.{.7..$8......=.{.Kw.p.XHGae_....m<2Q#..yYP.5....).+].\Mv[k...AQIq..s.X.`.6~..AUSR.DH~......S...,M8t...Q.N...5.........jg=...:..Q.L..s.....`...9.....<{.........cN.Y..(.......W.C..H...1Wn...t..Ba.\.2.NU..:t;...V.....V... ........s.a..N1.3...&..3`eM..........2..h....u.e{_<.,.. .3S..3..7x[M(T.... .j.n.<..Q+..GC~.x....C..... i......=G..K.z.[.O;..e....8.b.?...@+...G[T....B.y}".A}.\|.V7.~s.K.._..,Od...&1:..N....i..U.s.Y.D.R.`...j.4...G...{I.o...%.06+....@../n4...f.e8.Y9..}.....&..

\Device\Mup\DC-01\public\tax figures.docx

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	16920
Entropy (8bit):	7.989457966165604
Encrypted:	false
SSDEEP:
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	low
Preview:	.:..r.H.......i.+3......?.....B..Zw9.,.~~.s.;O@..x<0Y)..:.;..J#......Fmc\..%../i'....Xg.C.k.o.;..Q...8....8..:(.{..!R....\.6dAf..E.P.".........bl...rD..<x.Z ^..zu..5.....=U......o..e....z....0.>y.u......~.S......6\...0g.I..`..j~..Zh8.+..En.K.n.e.W.=. 0.#.....~...PE...../.R.Go....%<.....9..sy..........P..\[..f.(.v....i.....x....._......f..jbN$$.D.}.......4...n1w.)......Q..O...#O.^s...^......p.I....S.@.N....8...4&..U\y..}.rO...f..\|.&xJj..9...^:..a0..oK.........\|fK....(.OD-..3......bm...:...l7..,..a..i.......v.e...smb0..M.}JC..P>!...gW\|7y.%...mi.=B...@.(.X.n.%..HU.!)..Zw..{...M..x..A...,=B..e..Rq~.g}&M9..z2Q.&WJ..."...r...@.o..TQ...g.g7..X.....ug.u(.6.I.....H...nva..<..&OR...U.../>]......[.J..h.O}<.o^.).]..1.......+.1.Z.d..B>......>..v.I.&..B.=/R:... ...b...._..//%.s..H...Z.N9..k....O;c'..8.i.^...f0Im{..E0./$.........}tER../.pkL;..<D...f..p..]S.\|..yk%..T/i.........`..H....3.s(m.we6.L......._..@.:{.skp.i.D.?.<*m..Z.hL..%...d..B

\\DC-01\public\employees.xlsx.bbdabdeEdE (copy)

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	16920
Entropy (8bit):	7.989725459788761
Encrypted:	false
SSDEEP:
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	low
Preview:	.-`P.%.........b....f.>/H.=R..V\|~I.\.xp_Cq...=.7kb.......K.Z.v.;.T\.n..s.....f...-...t5..lv...{`.[.$X.f...Y.......o[}.U.]'.BC..t.7..R.9....5...E'....K.i9hr^...U..9P..;3...........8....B%...b.#.pf....y.^...&..P._.1...rc.(.->.`M..nBVE;..A.."../.h....!/..iH..0ND3....A3.......(.&)s.8.'...oV....... 6.a...K[4...W.?..h.v...'...v.....U..@.G.e.HP3.v.......5'G..='.H.gn.Wj.:I.........#.Ie.Jv..U..g%)A......z...<...F.4.wd....f%...d../p....([...g..s@..^.....sI..#..Gkc3:.....9......y.,<A.....3.....Z.ZA'..)H...Q.=&BEj.._uhs^..J...fK.w.I...[3.4ixzJ.*..QJ..".....Z.....x..)f.q. .34.t...C'....M.J\|..................;7..sx..0#d.$.\|....{...1j.C&q./r.q#....C%..e.#.l.;9X.)h$....#y.!...........#..,.~...j..L.;.].A.C...q...rp..Z5.....TP.!....Y...3.UyZ.oh.Q...@]..[...f..w........&.xX0]0\|P......!.n.....>........6ao...MU+[.Dp.....t..B.0...:.....R"...6Dl._.E^f..t..nPI..6.q...{....%....fA.F.}\|P...._}.....Q..0.c...,..@wIN...t..r.:.+\|..Z...+.=..z.........l..@....I.zPc.....C.X.P@

\\DC-01\public\invoice.pdf.bbdabdeEdE (copy)

Download File

Process:	C:\Users\abbas\Downloads\MjdQMcMxBd\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.979125071058783
Encrypted:	false
SSDEEP:
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	low
Preview:	W.}.=....>\|.FaN...>uz........8T..Hxn..K!.r.....3.q..^....\|...(.ud.V.A...w.....~I%...+.R...8.`.I..F'......[@.%..\|o:WR.<&... 6z?..L.....!.y.<......pr..i;p...a..>..x.....v(l.....r.}..^l~..Kp9H...Z.cxz.<.N..d[.G.......:w.Tc..Q...PVn"..JR;b...>.]...`...8....L[$.f%...S1f.g.5.2.....F.W.(......Qd.H.>L...<......e.F.+.{..m...W .......cF.>.F.....w......._.$.t.i......[.-.iZ...rF.D.\V....4z.Llh.UF'Z0......;...2.D..3....".Am.$.t.....h}.....-P.-I.].).........n....Z..I.d^.{.7..$8......=.{.Kw.p.XHGae_....m<2Q#..yYP.5....).+].\Mv[k...AQIq..s.X.`.6~..AUSR.DH~......S...,M8t...Q.N...5.........jg=...:..Q.L..s.....`...9.....<{.........cN.Y..(.......W.C..H...1Wn...t..Ba.\.2.NU..:t;...V.....V... ........s.a..N1.3...&..3`eM..........2..h....u.e{_<.,.. .3S..3..7x[M(T.... .j.n.<..Q+..GC~.x....C..... i......=G..K.z.[.O;..e....8.b.?...@+...G[T....B.y}".A}.\|.V7.~s.K.._..,Od...&1:..N....i..U.s.Y.D.R.`...j.4...G...{I.o...%.06+....@../n4...f.e8.Y9..}.....&..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.16411908069709
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ab.exe
File size:	794112
MD5:	0b486fe0503524cfe4726a4022fa6a68
SHA1:	297dea71d489768ce45d23b0f8a45424b469ab00
SHA256:	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2
SHA512:	f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619
SSDEEP:	24576:TCs99+OXLpMePfI8TgmBTCDqEbOpPtpFhyxfq:5GOXLpMePfzVTCD7gPtLhSfq
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9.I.}.'}}.'}}.'}i.$\|l.'}i."\|..'}i.#\|j.'}i.!\|..'}..#\|l.'}..$\|k.'}.."\|..'}i.&\|j.'}}.&}..'}...\|l.'}...}\|.'}}..}\|.'}..%\|\|.'}Rich}.'

Static PE Info

General

Entrypoint:	0x43f186
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60689947 [Sat Apr 3 16:35:19 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	b56503b8c4f46a3a086734c09c6bd0f3

Entrypoint Preview

Instruction
call 00007F2B1CD46F4Fh
jmp 00007F2B1CD465CFh
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007F2B1CD4601Fh
jmp 00007F2B1CD46730h
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [004B4018h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [004B4018h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [004B4018h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], esp
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb20a0	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbc000	0x5d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xbd000	0x8d44	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa6e2c	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa6e68	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x84000	0x358	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8284c	0x82a00	False	0.488630756579	data	6.60983970569	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x84000	0x2f3d6	0x2f400	False	0.264529596561	data	3.62244340935	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb4000	0x7818	0x6800	False	0.106745793269	data	3.31661959005	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xbc000	0x5d8	0x600	False	0.453125	data	4.07117757835	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xbd000	0x8d44	0x8e00	False	0.518926056338	data	6.64901147486	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xbc0a0	0x3ac	data	English	United States
RT_MANIFEST	0xbc450	0x188	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	GetVolumeInformationW, WriteFile, CreateFileW, ReadFile, GetFileSizeEx, GetQueuedCompletionStatus, GetFileAttributesW, PostQueuedCompletionStatus, SetFileAttributesW, GetSystemInfo, SetFilePointerEx, MoveFileExW, CreateIoCompletionPort, FindFirstFileW, FindNextFileW, GetEnvironmentVariableW, FindClose, GetDiskFreeSpaceW, GetLocaleInfoA, GetComputerNameA, WriteConsoleW, GetTickCount, OpenMutexW, CopyFileW, CreateProcessW, GetProcessHeap, GetThreadContext, HeapAlloc, CloseHandle, Process32FirstW, GetCurrentThread, Process32NextW, GetLastError, Sleep, CreateToolhelp32Snapshot, CheckRemoteDebuggerPresent, WaitForSingleObject, CreateMutexW, GetModuleFileNameW, TerminateProcess, GetCurrentProcess, HeapFree, WideCharToMultiByte, MultiByteToWideChar, FindNextVolumeW, GetVolumePathNamesForVolumeNameW, FindVolumeClose, SetVolumeMountPointW, FindFirstVolumeW, HeapSize, GetConsoleMode, GetConsoleOutputCP, FlushFileBuffers, SetStdHandle, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, GetACP, IsValidCodePage, FindFirstFileExW, GetFileType, GetTimeZoneInformation, HeapReAlloc, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, OpenProcess, IsDebuggerPresent, GetTimeFormatW, GetDateFormatW, GetStdHandle, ExitProcess, GetModuleHandleExW, ExitThread, RaiseException, RtlUnwind, LoadLibraryW, UnregisterWaitEx, QueryDepthSList, InterlockedFlushSList, QueryDosDeviceW, GetLogicalDrives, EnterCriticalSection, LeaveCriticalSection, TryEnterCriticalSection, DeleteCriticalSection, GetCurrentThreadId, WaitForSingleObjectEx, SwitchToThread, GetExitCodeThread, GetStringTypeW, QueryPerformanceCounter, SetLastError, InitializeCriticalSectionAndSpinCount, CreateEventW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, EncodePointer, DecodePointer, GetCPInfo, LocalFree, CompareStringW, LCMapStringW, GetLocaleInfoW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetStartupInfoW, GetCurrentProcessId, InitializeSListHead, CreateTimerQueue, SetEvent, SignalObjectAndWait, CreateThread, SetThreadPriority, GetThreadPriority, GetLogicalProcessorInformation, CreateTimerQueueTimer, ChangeTimerQueueTimer, DeleteTimerQueueTimer, GetNumaHighestNodeNumber, GetProcessAffinityMask, SetThreadAffinityMask, RegisterWaitForSingleObject, UnregisterWait, GetThreadTimes, FreeLibrary, FreeLibraryAndExitThread, GetModuleHandleA, LoadLibraryExW, GetVersionExW, VirtualAlloc, VirtualProtect, VirtualFree, DuplicateHandle, ReleaseSemaphore, InterlockedPopEntrySList, InterlockedPushEntrySList
ADVAPI32.dll	ControlService, OpenServiceW, GetTokenInformation, CryptDuplicateKey, CryptSetKeyParam, CryptDestroyKey, CryptAcquireContextW, CryptEncrypt, CryptExportKey, CryptImportKey, CryptGenKey, CryptReleaseContext, LookupPrivilegeValueW, AdjustTokenPrivileges, InitiateShutdownW, RegCloseKey, CloseServiceHandle, OpenSCManagerW, DeleteService, RegOpenKeyExW, EnumDependentServicesW, RegSetValueExW, OpenProcessToken, StartServiceW, QueryServiceStatusEx
SHELL32.dll	SHEmptyRecycleBinW, ShellExecuteW
ole32.dll	CoInitializeEx, CoUninitialize, CoCreateInstance, CoInitializeSecurity, CoSetProxyBlanket
OLEAUT32.dll	VariantClear, SysAllocString, SysFreeString, SysAllocStringByteLen, VariantInit, SysStringByteLen
MPR.dll	WNetGetConnectionW
NETAPI32.dll	NetDfsEnum, NetShareEnum, NetApiBufferFree
IPHLPAPI.DLL	SendARP
WS2_32.dll	gethostbyname, gethostname, inet_addr, htons, getnameinfo, WSACleanup, inet_ntoa, WSAStartup
RstrtMgr.DLL	RmEndSession, RmShutdown, RmGetList, RmStartSession, RmRegisterResources
CRYPT32.dll	CryptStringToBinaryA

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. All rights reserved.
InternalName	taskhost.exe
FileVersion	10.0.17763.831 (WinBuild.160101.0800)
CompanyName	Microsoft Corporation
ProductName	Microsoft Windows Operating System
ProductVersion	10.0.17763.831
FileDescription	Host Process for Windows Tasks
OriginalFilename	taskhost.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ab.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Overview

Sigma Overview

Jbx Signature Overview

AV Detection

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Persistence and Installation Behavior

Anti Debugging

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Created / dropped Files

C:\$RECYCLE.BIN\S-1-5-21-3384971621-2488082584-654606338-1105\desktop.ini

C:\Users\abbas\AppData\Roaming\Microsoft\Windows\ab.exe

C:\Users\abbas\Desktop\DUUDTUBZFW.png

C:\Users\abbas\Desktop\DUUDTUBZFW.png.bbdabdeEdE (copy)

C:\Users\abbas\Desktop\GAOBCVIQIJ.docx

C:\Users\abbas\Desktop\GAOBCVIQIJ.docx.bbdabdeEdE (copy)

C:\Users\abbas\Desktop\GAOBCVIQIJ\GAOBCVIQIJ.docx

C:\Users\abbas\Desktop\GAOBCVIQIJ\GAOBCVIQIJ.docx.bbdabdeEdE (copy)

C:\Users\abbas\Desktop\GAOBCVIQIJ\GVYSd_readme_.txt

C:\Users\abbas\Desktop\GAOBCVIQIJ\PIVFAGEAAV.mp3

C:\Users\abbas\Desktop\GAOBCVIQIJ\PIVFAGEAAV.mp3.bbdabdeEdE (copy)

C:\Users\abbas\Desktop\GAOBCVIQIJ\PWCCAWLGRE.jpg

C:\Users\abbas\Desktop\GAOBCVIQIJ\PWCCAWLGRE.jpg.bbdabdeEdE (copy)

C:\Users\abbas\Desktop\GAOBCVIQIJ\QCFWYSKMHA.pdf

C:\Users\abbas\Desktop\GAOBCVIQIJ\QNCYCDFIJJ.xlsx

C:\Users\abbas\Desktop\GAOBCVIQIJ\QNCYCDFIJJ.xlsx.bbdabdeEdE (copy)

C:\Users\abbas\Desktop\GAOBCVIQIJ\SUAVTZKNFL.png

C:\Users\abbas\Desktop\GAOBCVIQIJ\SUAVTZKNFL.png.bbdabdeEdE (copy)

C:\Users\abbas\Desktop\GRXZDKKVDB.jpg

C:\Users\abbas\Desktop\GRXZDKKVDB.jpg.bbdabdeEdE (copy)

C:\Users\abbas\Desktop\GRXZDKKVDB.mp3

C:\Users\abbas\Desktop\GRXZDKKVDB.mp3.bbdabdeEdE (copy)

C:\Users\abbas\Desktop\GVYSd_readme_.txt

C:\Users\abbas\Desktop\NVWZAPQSQL.png

C:\Users\abbas\Desktop\PIVFAGEAAV.mp3

C:\Users\abbas\Desktop\PIVFAGEAAV.pdf

C:\Users\abbas\Desktop\PIVFAGEAAV.pdf.bbdabdeEdE (copy)

C:\Users\abbas\Desktop\PIVFAGEAAV.xlsx

C:\Users\abbas\Desktop\PWCCAWLGRE.jpg

C:\Users\abbas\Desktop\PWCCAWLGRE.jpg.bbdabdeEdE (copy)

C:\Users\abbas\Desktop\PWCCAWLGRE.xlsx

C:\Users\abbas\Desktop\PWCCAWLGRE.xlsx.bbdabdeEdE (copy)

C:\Users\abbas\Desktop\QCFWYSKMHA\DUUDTUBZFW.png

C:\Users\abbas\Desktop\QCFWYSKMHA\DUUDTUBZFW.png.bbdabdeEdE (copy)

C:\Users\abbas\Desktop\QCFWYSKMHA\EEGWXUHVUG.pdf

C:\Users\abbas\Desktop\QCFWYSKMHA\GVYSd_readme_.txt

\Device\ConDrv

\Device\Mup\DC-01\public\employees.xlsx

\Device\Mup\DC-01\public\invoice.pdf

\Device\Mup\DC-01\public\tax figures.docx

Windows Analysis Report
ab.exe