Automated Malware Analysis Report for FAKE SSS ID-Pdf

ID: 214287 Sample Name: FAKE SSS ID- pdf.exe Cookbook: default.jbs Time: 14:43:07 Date: 10/03/2020 Version: 28.0.0 Lapis Lazuli Table of Contents

Table of Contents 2 Analysis Report FAKE SSS ID-pdf.exe 4 Overview 4 General Information 4 Detection 4 Confidence 5 Classification Spiderchart 5 Analysis Advice 6 Mitre Att&ck Matrix 6 Signature Overview 7 AV Detection: 7 Spreading: 7 Networking: 7 Key, Mouse, Clipboard, Microphone and Screen Capturing: 8 System Summary: 8 Data Obfuscation: 8 Persistence and Installation Behavior: 8 Hooking and other Techniques for Hiding and Protection: 8 Malware Analysis System Evasion: 9 Anti Debugging: 9 HIPS / PFW / Operating System Protection Evasion: 9 Language, Device and Operating System Detection: 9 Stealing of Sensitive Information: 9 Remote Access Functionality: 9 Malware Configuration 9 Behavior Graph 10 Simulations 10 Behavior and APIs 10 Antivirus, Machine Learning and Genetic Malware Detection 10 Initial Sample 10 Dropped Files 10 Unpacked PE Files 10 Domains 11 URLs 11 Yara Overview 11 Initial Sample 11 PCAP (Network Traffic) 11 Dropped Files 11 Memory Dumps 11 Unpacked PEs 11 Sigma Overview 11 Joe Sandbox View / Context 11 IPs 11 Domains 11 ASN 12 JA3 Fingerprints 12 Dropped Files 12 Screenshots 12 Thumbnails 12 Startup 13 Created / dropped Files 13 Domains and IPs 18 Contacted Domains 18 URLs from Memory and Binaries 18 Contacted IPs 19 Static File Info 19 General 19 File Icon 19 Static PE Info 19 Copyright Joe Security LLC 2020 Page 2 of 36 General 19 Entrypoint Preview 20 Rich Headers 21 Data Directories 21 Sections 21 Resources 21 Imports 22 Possible Origin 22 Network Behavior 22 Code Manipulations 22 Statistics 23 Behavior 23 System Behavior 23 Analysis Process: FAKE SSS ID-pdf.exe PID: 3540 Parent PID: 3860 23 General 23 File Activities 23 File Created 23 File Deleted 25 File Written 25 File Read 35 Registry Activities 35 Analysis Process: wscript.exe PID: 3624 Parent PID: 3540 35 General 35 File Activities 35 Registry Activities 36 Analysis Process: oitpmotjn.exe PID: 1684 Parent PID: 3624 36 General 36 Disassembly 36 Code Analysis 36

Overview

General Information

Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 214287 Start date: 10.03.2020 Start time: 14:43:07 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 8m 51s Hypervisor based Inspection enabled: false Report type: light Sample file name: FAKE SSS ID-pdf.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 4 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis stop reason: Timeout Detection: MAL Classification: mal64.evad.winEXE@5/20@0/0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 99.8% (good quality ratio 95.6%) Quality average: 79.6% Quality standard deviation: 27.2% HCA Information: Successful, ratio: 53% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Timeout during Intezer genetic analysis for /opt/package/joesandbox/database/analysis/21428 7/sample/FAKE SSS ID-pdf.exe Timeout during Intezer genetic analysis for unpackpe/0.2.FAKE SSS ID- pdf.exe.eb0000.1.unpack

Detection

Strategy Score Range Reporting Whitelisted Detection

Threshold 64 0 - 100 false

Confidence

Strategy Score Range Further Analysis Required? Confidence

Threshold 5 0 - 5 false

Classification Spiderchart

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Mitre Att&ck Matrix

Privilege Credential Lateral Command Network Initial Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Valid Scripting 1 1 Valid Exploitation for Software Packing 1 Input System Time Remote File Input Data Commonly Eavesdrop on Accounts 2 Accounts 2 Privilege Capture 2 1 Discovery 2 Copy 1 Capture 2 1 Encrypted 1 Used Port 1 Insecure Escalation 1 Network Communication

Copyright Joe Security LLC 2020 Page 6 of 36 Privilege Credential Lateral Command Network Initial Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Replication Execution Port Valid Accounts 2 Disabling Security Network Account Remote Clipboard Exfiltration Remote File Exploit SS7 to Through through API 2 Monitors Tools 1 Sniffing Discovery 1 Services Data 2 Over Other Copy 1 Redirect Phone Removable Network Calls/SMS Media Medium External Graphical User Accessibility Access Token Deobfuscate/Decode Input Capture Security Software Windows Data from Automated Standard Exploit SS7 to Remote Interface 2 Features Manipulation 2 1 Files or Discovery 1 2 1 Remote Network Exfiltration Cryptographic Track Device Services Information 1 Management Shared Drive Protocol 1 Location

Drive-by Command- System Process Scripting 1 1 Credentials in File and Directory Logon Input Capture Data Multiband SIM Card Compromise Line Firmware Injection 1 2 Files Discovery 3 Scripts Encrypted Communication Swap Interface 2 Exploit Public- Command- Shortcut File System Obfuscated Files or Account System Shared Data Staged Scheduled Standard Manipulate Facing Line Interface Modification Permissions Information 2 Manipulation Information Webroot Transfer Cryptographic Device Application Weakness Discovery 2 6 Protocol Communication Spearphishing Graphical User Modify New Service Masquerading 1 1 Brute Force Query Registry 1 Third-party Screen Data Commonly Jamming or Link Interface Existing Software Capture Transfer Used Port Denial of Service Size Limits Service Spearphishing Scripting Path Scheduled Task Valid Accounts 2 Two-Factor Process Pass the Email Exfiltration Uncommonly Rogue Wi-Fi Attachment Interception Authentication Discovery 2 Hash Collection Over Used Port Access Points Interception Command and Control Channel Spearphishing Third-party Logon Process Injection Access Token Bash History Application Remote Clipboard Exfiltration Standard Downgrade to via Service Software Scripts Manipulation 2 1 Window Desktop Data Over Application Insecure Discovery 1 Protocol Alternative Layer Protocol Protocols Protocol Supply Chain Rundll32 DLL Search Service Registry Process Input Prompt System Windows Automated Exfiltration Multilayer Rogue Cellular Compromise Order Permissions Injection 1 2 Owner/User Admin Collection Over Encryption Base Station Hijacking Weakness Discovery 1 Shares Physical Medium Trusted PowerShell Change Exploitation for DLL Side- Keychain Process Discovery Taint Shared Audio Commonly Connection Relationship Default File Privilege Loading 1 Content Capture Used Port Proxy Association Escalation

Signature Overview

• AV Detection • Spreading • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • System Summary • Data Obfuscation • Persistence and Installation Behavior • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection • Stealing of Sensitive Information • Remote Access Functionality

Click to jump to signature section

AV Detection:

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Spreading:

Contains functionality to enumerate / list files inside a directory

Enumerates the file system

Networking:

Urls found in memory or binary data

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Potential key logger detected (key state polling based)

System Summary:

Contains functionality to communicate with device drivers

Contains functionality to launch a process as a different user

Contains functionality to shutdown / reboot the system

Detected potential crypto function

Found potential string decryption / allocating functions

PE file contains strange resources

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Classification label

Contains functionality to adjust token privileges (e.g. debug / backup)

Contains functionality to check free disk space

Contains functionality to enum processes or threads

Contains functionality to instantiate COM classes

Contains functionality to load and extract PE file embedded resources

Creates files inside the user directory

Executes visual basic scripts

Might use command line arguments

PE file has an executable .text section and no other executable section

Reads ini files

Reads software policies

Sample is known by Antivirus

Sample reads its own file content

Spawns processes

Uses an in-process (OLE) Automation server

Submission file is bigger than most known malware samples

PE file contains a mix of data directories often seen in goodware

Contains modern PE file flags such as dynamic base (ASLR) or NX

PE file contains a debug data directory

Binary contains paths to debug symbols

PE file contains a valid data directory to section mapping

Data Obfuscation:

Contains functionality to dynamically determine API calls

File is packed with WinRar

Uses code obfuscation techniques (call, push, ret)

Persistence and Installation Behavior:

Drops PE files

Hooking and other Techniques for Hiding and Protection:

Copyright Joe Security LLC 2020 Page 8 of 36 Icon mismatch, binary includes an icon from a different legit application in order to fool users

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Disables application error messsages (SetErrorMode)

Malware Analysis System Evasion:

Found WSH timer for Javascript or VBS script (likely evasive script)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Contains functionality to enumerate / list files inside a directory

Contains functionality to query system information

Enumerates the file system

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Program exit points

Anti Debugging:

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains functionality to register its own exception handler

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to execute programs as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Creates a process in suspended mode (likely to inject code)

Contains functionality to add an ACL to a security descriptor

May try to detect the Windows Explorer process (often used for injection)

Language, Device and Operating System Detection:

Contains functionality locales information (e.g. system language)

Contains functionality to query CPU information (cpuid)

Contains functionality to query local / system time

Contains functionality to query the account / user name

Contains functionality to query time zone information

Contains functionality to query windows version

Queries the cryptographic machine GUID

Stealing of Sensitive Information:

OS version to string mapping found (often used in BOTs)

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Malware Configuration

Behavior Graph

Hide Legend Behavior Graph Legend: ID: 214287

Sample: FAKE SSS ID-pdf.exe Process Startdate: 10/03/2020 Signature Architecture: WINDOWS Score: 64 Created File DNS/IP Info Is Dropped Icon mismatch, binary includes an icon from Multi AV Scanner detection started Is Windows Process a different legit application for submitted file in order to fool users Number of created Registry Values

Number of created Files

FAKE SSS ID-pdf.exe Visual Basic Delphi

3 27 Java

.Net C# or VB.NET dropped C, C++ or other language

C:\Users\user\AppData\...\oitpmotjn.exe, PE32 started Is malicious

Internet

wscript.exe

started

oitpmotjn.exe

Multi AV Scanner detection for dropped file

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link FAKE SSS ID-pdf.exe 44% Virustotal Browse

Dropped Files

Source Detection Scanner Label Link C:\Users\user\AppData\Roaming\x1532c8256\oitpmotjn.exe 38% Virustotal Browse C:\Users\user\AppData\Roaming\x1532c8256\oitpmotjn.exe 43% ReversingLabs Win32.Trojan.Trojan2

Unpacked PE Files

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link secure.globalsign.net/cacert/PrimObject.crt0 0% Virustotal Browse secure.globalsign.net/cacert/PrimObject.crt0 0% Avira URL Cloud safe secure.globalsign.net/cacert/ObjectSign.crt09 0% Virustotal Browse secure.globalsign.net/cacert/ObjectSign.crt09 0% Avira URL Cloud safe www.globalsign.net/repository09 0% Virustotal Browse www.globalsign.net/repository09 0% Avira URL Cloud safe www.globalsign.net/repository/0 0% Virustotal Browse www.globalsign.net/repository/0 0% Avira URL Cloud safe www.globalsign.net/repository/03 0% Virustotal Browse www.globalsign.net/repository/03 0% URL Reputation safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

System is w10x64 FAKE SSS ID-pdf.exe (PID: 3540 cmdline: 'C:\Users\user\Desktop\FAKE SSS ID-pdf.exe' MD5: 2DBD9D122837F67F8DF785DE70877A64) wscript.exe (PID: 3624 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\x1532c8256\fdpqirllrb.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884) oitpmotjn.exe (PID: 1684 cmdline: 'C:\Users\user\AppData\Roaming\x1532c8256\oitpmotjn.exe' jrbp.pbh MD5: AFE972E9214C8B5E9B24FBE665CE5A89) cleanup

Created / dropped Files

C:\Users\user\AppData\Roaming\x1532c8256\anrohnefra.msc Process: C:\Users\user\Desktop\FAKE SSS ID-pdf.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 573 Entropy (8bit): 5.4276832709431915 Encrypted: false MD5: 687F3D80FB9D2F0C989F70D55151F254 SHA1: 0310C7510A2A1BF18B269D70DC55FA43078E90EA SHA-256: F4E5D8D232DCFDE29FF6ACFDF71FEF1F8306F3A728E9D5BC2D8D9ADD82156470 SHA-512: DC2C6B115387D5DB6E9033C629F668469BEB7A910D0CC82B31330511FB0B74E1AA5E38559FA80FF67315458F71D521FE0CA563771CD554FC50936A464AA8F7CF Malicious: false Reputation: low Preview: m5B8559k74kXhJ92ad5x38x717xx746x7NgxWn32h9Z1AESeOy340K2AGp75C7718W74z5t3r9..r81A906707Lg40b3e336714ISvA34Mu807m804L9537d6s32BVDzN8 bf7vnl31199dWO6FPgV58HPBQ..SL85A282tS8WW08VW5046Sc8e1971L0Mw2YS6DX62v7a48WN825G786UT185IJ6X741IX03Ie8Q30N897jPEuB52V2133Ma35tR..80 oWc8wur0767X79503C87O9SMSjf3TcCrewu87FCl8E2fVb586K8m7rbB74Q7080N6L5Z73X1o6326w303F38XM181OV0f3y390i860rq544C23r3A7l6..25503f2N6lR1 yHBE361Cb8r0154Y0bUE28Y2565i3A0H3X6w2v5P2Z726TN71sRQz7v2ayT74sZr22jQ60bi46EiE8jC17J96Xl2boP17MY9773EU41..sm22P2u1Ct3vx92dQOO0P6Vvl 93Qc63IrQ83Hp95w8OX88x5u7WcF455d8f9Yw3MzqsI16m98368..

C:\Users\user\AppData\Roaming\x1532c8256\ebfgeul.dll Process: C:\Users\user\Desktop\FAKE SSS ID-pdf.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 578 Entropy (8bit): 5.5636895708156695 Encrypted: false MD5: 5D0259B5D82A1D2C31BF7D4A3C16D7A7 SHA1: DC48AAAA1EC62C3B2D94C2C4A438396C490FF080 SHA-256: 379FA18AD3D1CE84C6CD989A4D060EB08453FCF23FC44EC7737B3DD1F987BD44 SHA-512: 38CBAA1D244A799E816F5322F1A7AD3F12D9582F070CC5331F07788664F813117B69BF1A069BFC430B5CD102AA1693DDFC3A9387AEAA4246432EC7352449022C Malicious: false Reputation: low Preview: X5nxKaB9rtfuLKpQ9101J197rp2..5i8t0O7lTW498I16B83z5p3d205547Nz142j3531z3Ue242964c1536296xc3g307ZBdZ79Kyvb2gYHU44234dL1Zky05L8uJW825 9w9g22s549l5s8ZgYz46K28l6Cc3AGPnGs488..9upi1745D16twjbkChrniR0nAoL86GrUd4H9Nqh9bFapXi4w8g018MR89DcZG9b5P36qc28x7M9DSs72..Bomc9slN2 qYOGz986k9i00bzX15xv2tVS9uV7uShxCzB584Tp52buIH706HD3qk0w7e9Etp79WND9386q2z0Klz745..49l8E70rWk3pw0R3Jy9..cHtY17B..n99UZ7t0pXyv8S4rB 43855nam76..92sS879d2u049883S0I38cqWom4n83f7xA6HKKd2gYOun17L54p1586046..cP72Pb59p5Sfmav92137mhj3X8WbJ00XJE8n4s73r8D267E1k8741Fs08P j9hQ8XZ867trhiIw7k3o36C68U595733d8VB75e25k3aLw0YW1Ytf54G..

C:\Users\user\AppData\Roaming\x1532c8256\extqcuh.nls Process: C:\Users\user\Desktop\FAKE SSS ID-pdf.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 517 Entropy (8bit): 5.535112276947027 Encrypted: false MD5: 1BC92FB972C5F6F781EC8147F220E119 SHA1: A5254609A989316ACAA157E1FD9060F5143A40D4 SHA-256: F9B1B2288A49523CC1D759F40AA4F297C9AEC8D3F05433B4CC3C9FEE86C90F13 SHA-512: BBC0768E854078272602F2B04ACAF0E659920232D76F9274A00D8D76AE40A49A0B05B45B9BBF345C9B28AA7D67DE4AA8239C6BAA10AC0D537B31688CB7521A3 B Malicious: false Reputation: low Preview: fBmONu429c81u0..z185ih4fr6G508451U401w05667x31WOFNUCfTNFNG1491v5R36Q6z81Fk7oxUCt3uU1n851EfMgxtBV98..37UGf942Xh678TAXN7800304U38w5K 187857D0J95l0x42H5YY9J7BGXr6WUYODp4GKdEbpI8le3556Juk238j09g2w58z10..3GChHaG0es3vI2V0tU71ny..u5n4TXNpg7534H6O61uh2r3mNIb155E34hjA17 Uo7K10t7eG37eM5X8xw94P0zKc4586j3M942z58Pn0k17K9PjI825450F6K45q646f4Jd8yTJiaM07P64ITf7897501Ka820L29cw..37502114R8kf44H39F80wz6XFIi 419mp5a49ytXn5068yWBMHo1sI5EVb6RbavrJS0GsEpB7v..w68Re27j5P8447G0Jgd9l7oi1042js9g32Fp6PZ..rqMu0F5LQs4cDmaN251E1L54E98jhr1701Vx..

Copyright Joe Security LLC 2020 Page 13 of 36 C:\Users\user\AppData\Roaming\x1532c8256\fdpqirllrb.vbs Process: C:\Users\user\Desktop\FAKE SSS ID-pdf.exe File Type: Little-endian UTF-16 Unicode text, with CRLF, CR line terminators Size (bytes): 39100 Entropy (8bit): 6.6924289824228875 Encrypted: false MD5: 56CAEFB65835B8D4114ED6076E8E0184 SHA1: 3EFA817F7D47E01680D5D90AA215F3C81C350E81 SHA-256: 24EF61BCC27C8300AB47318CE61AC5DB5A55F22AF20D1F636D69AC6B2E69C3E0 SHA-512: AE393AF31BBC19560B362D27B54DD0D470391E36297E89B3BC54557EBBE71E5059D3883AC6184476EF64FFE8DB2F3DEA0F535E284A28F24BBEC2F6682D990A2 2 Malicious: false Reputation: low Preview: ..'.u.u.6.K.8.5.4.R.6.6.4.k.5.4.S.g.5.u.0.9.0.9.C.Q.6.0.C.v.4.9.8.1.4.3.U.z.3.q.M.2.....'.5.8.2.4.h.B.8.S.4.3.F.4.7.m.5.3.7.3.M.7.n.9.4.9.5.l.S.7.z.2.1.4.3.u.E.8.7.3.5.5.3.3.L.2.O. 1.u.....'.C.8.X.7.2.0.O.m.l.6.U.8.4.z.6.Y.w.0.H.3.9.8.G.z.D.6.D.g.4.e.2.p.1.n.v.5.N.8.1.3.c.6.4.P.R.Z.8.....'.1.r.Z.b.z.E.R.t.v.f.h.7.4.1.x.9.q.0.7.H.4.3.7.9.X.3.5.s.8.8.3.r.h.W.1. h.4.T.D.e.3.v.D.A.Q.J.k.s.....'.."L..T.3...... n....m#4~!...... o...... 3..R...D..KP_O.].^...... '.k.v.K.v.g.m.Q.A.1.r.J.3.....'.8.M.H.0.1.6.n.8.7.4.1.6.3.B.a.Y.2.1.7.P.w.J.a.5.7.v .N.h.7.7.3.P.S.t.D.k.j.m.F.C.t.4.7.Y.T.9.9.N.6.....'.8n.s]..'B<]eP.S...O0. ....;L...%...... $..sW.....r.L.>..Z....._....e.5c...._.;Ui.#....I...uIv0.`..e'\...kIzh*..B13.;..IM....'.u.8.7.2.8. Q.2.V.m.7.l.3.o.y.y.7.2.5.P.d.J.7.q.e.m.9.O.v.6.o.3.7.3.8.....'...S...;.).zz.q..T.q...8i\(..w.RK.e*.2...|.!.....'.3.L.Y.w.4.0.3.3.3.V.4.o.C.R.F.T.5.z.9.0.W.....'.U.O.0.r.w.5.g.....'..hJ.x.:` B..8'....._.NX` d.(...Hh>.}zl..U[w.....l...1...Q.6..c.G....}].G....J

C:\Users\user\AppData\Roaming\x1532c8256\glvtbtxfvr.xls Process: C:\Users\user\Desktop\FAKE SSS ID-pdf.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 615 Entropy (8bit): 5.581373690285107 Encrypted: false MD5: 1EBBF84FD4B23F385856EB5EECF7110F SHA1: C050551A8166FE686D0B1EACBFD32C7AD4326DB4 SHA-256: 553D5B8474DF729F8048555FC99A53A402BE9C03E74E2C3330D4B04386F7214E SHA-512: 88DE0E02E7D89834247A650C2B6FAE0C3B405F0FD18BBB9E50FC5AC602F0A2DF1D0745943480A58370034FF3D644D814CD1F11FB187F988E299795B0A6A13684 Malicious: false Reputation: low Preview: 6537Qm8610z0er5Gs4q3gdj06OV4UltGV974U4..a030sL7JzocgKv82v42ElECc6r5739nuY3700w8Y1548i6632rQyAesvit7C9pbtAM3B9QG8CQ9..B5i63S808p7aL j3kse9r9159m8qs28900O42E76l5dPgde33k9s6edikQx2K3x6ogB95yC291B3..NiKb5x7guLn27x9H2fDd2B791v17U4251d779M9l9cx09c97906073Gk5fq590u6Kz 33h6629i1..2U69..o12zv638Y461FZ8d15..y164Jr16Wna1K4W701nK6xSpD7j6ViGrqo5qRGW1V0r47z9n8BBZ7U3dh5N007co115f6Q..786f3H3c2Zmn47i673ntj Oz6aq8sUnd0iq7..bIuk7lip1Pu5ILYP8K7p7800eT80T0s7u7591P01jAE61EL0G4TFgSw72z645gH0U38KQ..6UVxGMpY6GxVT5s6LgN34125aWZ0o6D0uN6G7Z8O20n BqYZbNfN8C1dv53f1Wih79r93vzo2h4nr6lq0eZ69X3SZLLFOy1d1mDynpvN5605g202oK3S3Drc49865O22lfFbepJQO..

C:\Users\user\AppData\Roaming\x1532c8256\ipjcrh.cpl Process: C:\Users\user\Desktop\FAKE SSS ID-pdf.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 597 Entropy (8bit): 5.4805382466938655 Encrypted: false MD5: 1B07E559D9099C954B3AC610EB2B64E0 SHA1: F2B376A5D5789CA9A39C63F99E19B4ABF1160EC3 SHA-256: F5E5596E6DE3B08795E6568B831F67A9F4D8FB85747B72767DB3971A2B70131C SHA-512: 90C77CD608D04ADFCA47684ECC37ABA6E17311BF673B040F03DEBA9A06BF38491DF7EF87B515E86590E2C3FE1B77686AA959838EB1AFE1E543D08665946590C 8 Malicious: false Reputation: low Preview: Uc161W91a97243ZSD9O66n86t7Q60Z55VW5MJJRbIb4rGi..3zN9378L38l8YR0j705FbtKN5AZwy80fU09781hg3u2I50HTFu5ur8or708lwv7W42jPXpo4JWwq8Hb1o5 cvv446i064t5L78359677F15k90lBuM2aepnS77S380106Wx6D76S873DygRlgVh05068ye..731826d3j6O62xw81H5755J2651wo6P1084176e..5Aq1C4Q6eR32K897 eh3Hm..e354fud11Dl7kagb69c137t10I607Xe7np0EOyqh61718iH9IC47j6FRF50wm0W52b592YDN8v3nZwm6K1Eo3736hU0glV..9Fs4d744S042kbk9430GN4vXIAO i2kA2Pj20726S7475J0f374ZJzHsNpAT11V31LU48MuyRB9JhJ864j451cluH70A7iL15u6Y6gRz41lI6s4ZJ9jY33ymSo3Q..5Z74ws7r0bjI859934C5H31P4v33g316 601Nj4h20468C3hO93915xOf7UZ84L31jU9KRPxV28184V8IJA14Tp8V2wwg3g933434ly1Vo1d..

C:\Users\user\AppData\Roaming\x1532c8256\iwlehr.nls Process: C:\Users\user\Desktop\FAKE SSS ID-pdf.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 506 Entropy (8bit): 5.559646285401868 Encrypted: false MD5: CB6898970ABECA9F8DC5E2A8024080EE SHA1: CF6519E57C41C5BD3C0FDEDA424A82C7B6589F66 SHA-256: 8CDDCFB7694C8151AF95B6FFC307023B921B0CDAD4BB1B066EB2155303156946 SHA-512: DD42BC4D99664A654916B5D9A03F97EB520C81701F8B587E6D7A1C923CE1A3B5B3D599FDE1E63A172F7065916327FA8BC8F3C615B89EB6E5ECE0BC644B048CE D Copyright Joe Security LLC 2020 Page 14 of 36 C:\Users\user\AppData\Roaming\x1532c8256\iwlehr.nls Malicious: false Reputation: low Preview: 5Q6Iy592BdP2161O1kAZ1315LQpRG2e0NjFhjl6I3MGV4xkDbPf6p9b4Nj6Anxnkd8A2325i1TN4C800P5J6f65Iu4KA6453j1lQ0810Orft6onw3e08064jI64p..z1z0nQLcl7I..D S91u16pc0HQKU686T72H409M210420m9Dw1zYO8ss7Vhw65uZ4GK4Te20H8ks29q2d1Yg68t69Cce1v1jvOxfZF0JD25Kab6y1793r5h..M4Td6l57MM3193od0n0Y67C8 E8tSgkB862z43k0T54sLbq757845bB41Fkt5s02749394CIaT802iz51I2kuD39K6iahwAo5f4b..6lD7X7ew5QX9GrzWB78BOP1u0Uqq887824XfKbXea88WyC8SXbN1z o0o4U45ZQHnd264g6DW0K6SE1n37g81y8JVw2Sl6oNbw891r14n1NJk72lMe7G0570UhV126Z8b0E913619A1637W222680BKTuB76W8..

C:\Users\user\AppData\Roaming\x1532c8256\jrbp.pbh Process: C:\Users\user\Desktop\FAKE SSS ID-pdf.exe File Type: Little-endian UTF-16 Unicode text, with CRLF line terminators Size (bytes): 139527510 Entropy (8bit): 7.095287963755677 Encrypted: false MD5: EBB781FB1E3CB5EB765D4B558AC8DD5F SHA1: 9FD1B4BA0D5A310A10886F58238BA434E01E6F52 SHA-256: FEEA908D5C6B4B11C4BE751803D97B406660786FDD1AB4D78F3ADFEE905D354C SHA-512: 8AD7F439CE6980D6CC51B7D141D253128AFA698F05C8A256D875E401A8A81E6274A0E4163F54B99A7DFA532BE63979494B19341C58A3217799406B1EE461DF63 Malicious: false Reputation: low Preview: ..;..3..Of.9RW.|9.%_*...S.)..~w2T.2Z..n.H..G.....e..Zs..O...... 36.... bm.8.}\.J....m...+0....#.c.s.%q4C...).}.y....#t.4[..-.}...U.(.=.P...yo..f..16x...v..=r...... 3?.T}.b.S...&..x./P..w.#.. .Kd...... y..U.$7..h .H...{.X.k.....)....}..S.buV.....vG.....Xz.}.6...:./P.2.&..w...... >...)Z8....8.Z.e.6.8.d.A.D.2.9.5.7.Z.X.0.8.9.7.D.2.6.5.W.0.7.y.B.3.j.7.V.A.5.6.9.K.W.6.6.Q.P.1...... R...|...D.+..&e.y...... a...CdF.".|_..7~.../:.r...... T.7.o.s.x.j.X.S.y.0.4.2.7.1.f.5.y.d.4.D.G.....p.B.F.E.u.7.8.4.4.Z.R.P.4.8.I.4.6.i.N.5.V.t.t.C.2.6.P.G.7.O.1.9.1.A.Z.3.....7.X.6.t.u.2. B.7.6.l.n.S.5.p.J.4.3.Y.9.V.1.3.8.8.0.4.C.U.1.h.4.4.0.7.2.D.B.4.1.9.E.p.4.I.1.....kB.hd...... R...#..4>Uw.7...h>...... E%L...... z.9.l.c.7.2.7.2.p.1.f.e.2.8.7.5.5.3.4.6.p.X .R.0.f.5.m.i.5.6.4.1.e.1.7.U.2.K.c.0.3...../+Tr..3..:...;...... >...D.}~.....]t....d...Avo....W.3.B!.(..T...sg..Z....6...YG....h.p.F.F....9..]..q.h..Ma..8....s....j..V.....f>..X.._N ..s.~B...`...RG..A ...m.M.W..Xv...... h.

C:\Users\user\AppData\Roaming\x1532c8256\nccarmviuw.exe Process: C:\Users\user\Desktop\FAKE SSS ID-pdf.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 523 Entropy (8bit): 5.527359589669029 Encrypted: false MD5: 1759E85AB18841E5B6276D86F13B5091 SHA1: 6F375D9987996E34090564ABE3AB03CBD36A8165 SHA-256: A977E50B1B5CC11624D643168018D3BE08EA3FF09C62E0381DDF532C96349110 SHA-512: 0835AA6746302E405D1A5EC6DCFB6D33FDC73480F7CD72AE3695A5595F0709B9F5F2D4592AB408E9832A675CC469E6795F390A676FFA7C6BC791D7B319FB6273 Malicious: false Reputation: low Preview: 0027q2M15tW5mW9Cw..Lzs63KA2zD7..4x4204Mr46J1F73zOpdE2Y06208..e2GEonn74768b0L76RK61422..t75F0As70a3D43DZsI329JzEl438h9Iha2yO4Bc025M H504oIKI0D4OLL5tjNyg47aQ201v5P9OzT84v3gb6f29n4F3Z95Y9PS5290MWC059159N82OKp0qWtqWn69o28Zl0778j77o1000c21oH1R8i68etYbsa6138hAc7gHh9q xY842w8..nJcDk266r8dt33JJxdcXK2P6q11VMi7..E98b7uKI7s7135D3Kv89x6viB713o282SlnLKi0O1E2w6kw4cWu33vm8zk150U4Rdi30V..QU35IY60k964Yz5Wv 706119U2p7Y0J4129fZL00t1q..Qx2Jg..Hwt8CdEB3Iv4717L5hD7F35055P6OHi878K5461A45n..GXtT295W44IZ8rlbc06eEg20330J7MXe5edg91H9a483g16pmpQ7..

C:\Users\user\AppData\Roaming\x1532c8256\nquhts.dat Process: C:\Users\user\Desktop\FAKE SSS ID-pdf.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 566 Entropy (8bit): 5.524664827856854 Encrypted: false MD5: 58A9D06805B7B56890ED959A2EBD26FB SHA1: B279EE692E6F81E56C0C6047E02B5AD05A2BA224 SHA-256: 7812139A9E96E0ABF3C54D2DEAF024DDE8788593BB7404C486D57A1C3B238926 SHA-512: D5783C7362EC81C6A2F487AD82D9A437314F71620EE0C4F8DC55F522CD9F0BA8302E7482806B4270C221965E69191A00DD537C6BBB3D4BB45CB9FC7850C0305C Malicious: false Reputation: low Preview: d299pyg33474056448iUuj29Q3Cxxsh6Yq3D79mREUZT5z14m52bh3gpZb1h1l913z7ku48F43E6..f3IlPW9IH7i0Dd7B3jmWhTU30D393645H3lI50Z3N2HOg8FIciCu 57290C86SiQ503V69sU2149Vsu65XbQxN3f4JS30q75..39yAL57Bttwf705GlY55fu8u8YfO72yp8hu84n3E479a274t6w50S5XRIn88ye514124jo35w4Az4b8TqoN09 rOLzwA1gZNY59M1T5m17GY40N7s09Ls6C4N43dH13er924A0457X7CV30426980DWB29EYaVZ6isV0tt0f090aZtQ..2L9Wu0uuf97c7z8Ka55gqn6aBZ0FL5fZ4X4GHim 41Q2064h5WK0b9E3o219K9P3pu3h0rI013900q74Hb..a14n7028kp80xfgmmyNu6409w0pisZK8qt3h78..99Rx3327Q019i6iPZ5g8QBX55jfjU0j0y0p522aXXps6vg 1AXoog7213B12rwtozW08307rTGs142J36YS4Cf6irZ3..

C:\Users\user\AppData\Roaming\x1532c8256\ogwl.exe Process: C:\Users\user\Desktop\FAKE SSS ID-pdf.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 508 Entropy (8bit): 5.456645469713254

Copyright Joe Security LLC 2020 Page 15 of 36 C:\Users\user\AppData\Roaming\x1532c8256\ogwl.exe Encrypted: false MD5: E78AAB12078810FAC1248E5341444D5C SHA1: B1239A30404560A3821CC65F15789FB038C9592E SHA-256: 1CBF21281C9F059F40937CB21AF3C61AD212ECE3EE40D69B7D8841E0353D06E6 SHA-512: CC212EA5180725B0374293EE1FA3C5F34D222142543D70DB561406FF970625B3F1F38D076C5C66D54B7BBEB7532F2605A070EDAD9021DB2BF3010A305B203699 Malicious: false Reputation: low Preview: 9F9C07kk1c4Z87y6C98cF78fXUuH51xqbv..9223t0935XvGCH5GPUD3Ac304v5W8W680s2X1KR20KqX1eh5d69hs09I..m80v2o4CFc1410np9ZsQ946Ab60F90470988 kY63Vvt7886606PL69q4lTlI6Q75je20p515opB5hrI0R7Zs2iwUa3Tn3667205620z625251361NXuPSn8V6..BB6Y6Q6oqNq0ir4AZ5666B3wK3m3NDFN3rNM69g4p91 9ZATS90x5lGvO19I..s5Vn8ggmZg8477j6054hH6GQ1X4738zR0p047p69U34D7Z5444I887W4h7OrID886E6126i0o836175fiVR22RPB3x12GS7My55s17ypf..wq1T6 noYCbIqsNGx3UPU05587380b1lb4DW4Esuoi5396Q649ID7345J47842O8VPqM1422142J0270qb59jv31Q57OQr772ri571Sg3w1XJ7S..057O866xa..

C:\Users\user\AppData\Roaming\x1532c8256\oitpmotjn.exe

Process: C:\Users\user\Desktop\FAKE SSS ID-pdf.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows Size (bytes): 700144 Entropy (8bit): 6.558649689069998 Encrypted: false MD5: AFE972E9214C8B5E9B24FBE665CE5A89 SHA1: 205DF3E396808972509911E8417AA4B4CFFE5A4B SHA-256: AE9FE89BC10BA02AE33B25389C7AC5FD53FC312E7656C95357ADEC444824B419 SHA-512: D37E8D604675056BE6333B66E45E15AC85491B85B369D1632E135FFB2A254AF9D572586D614B94E3AF7BCA0F1F71BDF99FD69105A8C12549DA354825B26567B6 Malicious: true Antivirus: Antivirus: Virustotal, Detection: 38%, Browse Antivirus: ReversingLabs, Detection: 43% Reputation: low Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... 1b.....P.)....Q.....y.....i...... }...N...... d.....`.....m.....g....Rich...... PE..L....%O...... "...... d...... @...... r.....@...@...... @...... T...... c...... D...... text...... `.rdata...... @[email protected]...... h...... @....rsrc...... R...... @[email protected]...... v...... @..B......

C:\Users\user\AppData\Roaming\x1532c8256\rwucorxiun.xls Process: C:\Users\user\Desktop\FAKE SSS ID-pdf.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 544 Entropy (8bit): 5.446692010272626 Encrypted: false MD5: D496BA8AB7F2652FD2AF1F311E2A17CE SHA1: CD7B27ED39D45A6FE2498C0379E374B6DAEE9BA1 SHA-256: FA62789725189EAE24268BCEAFFADD016B9704092E124E3177B9BEAE20217A7A SHA-512: 441D63A7AC986BCE78B0E744ED904E6D3E8097DE232E67F51611CDC9C211E63D9AFA277E5B35D5354F1C41E914BB4A1B29F16843D369734F16353C8A90659033 Malicious: false Reputation: low Preview: 8r1b30hcO87934BZ13g7G1Ga3Y91i4tMR73t9avA6167t6n99H4K049086Y20rfwdTTM63b4pcW7gb2B7f6uul897Q16N035Av3t3451Q8j..UhWd0v8320815i61j1kGO 5L7OWy456321z405H4MIPI7BmU6P5p33687dsne0kY27ek1EY600Oqji63D6YgHEd51t2kag710y842m4001qdMB5..43E01i6ir027L06Ip8x9ELtZH5S27q6xL80665O 992K75wK29Cl9l3S6yU07125ip900ap4C8w16098jK7R9fZ22076m17Ri1P2J2Swt..um279bsD6UKxjUd4390gq94ui55aILT40c9ajs75375F9LON76d0fn900Q87o44 423M3n5b5oN9lHNQ5h9545byEX505Zdg036m8W..Ej907R9..c3E0o38658Kl0890L796y2s8lqFp4JRA1pv4260yI84MStb07TvcM28W1q7eQ57981LdXmWR84t6i9W41 78Bs96NF9tn4DRa89t2c6s..

C:\Users\user\AppData\Roaming\x1532c8256\tcowvpfwv.msc Process: C:\Users\user\Desktop\FAKE SSS ID-pdf.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 592 Entropy (8bit): 5.448225609185188 Encrypted: false MD5: D47487675975DC175E419E256C48277F SHA1: 6672B2DEA6324259E38ABAB37FDD7188A5025B38 SHA-256: 8CA7BCB3CB3A4643E91BCBD0BDA5515CD155F9362C8D7901B0A735DFE73F8A44 SHA-512: 2FCE0DB5966EE28607982A59574B42DB3CCAD824D6248ED86BFA937F31ACEBC7EC2EE74DA9DE20B611A5AE03E488B26A8BB2D060E9FFCCE716F54DD985791 71D Malicious: false Reputation: low

Copyright Joe Security LLC 2020 Page 16 of 36 C:\Users\user\AppData\Roaming\x1532c8256\tcowvpfwv.msc Preview: A7g981z42zl29658F97i0391C4C3u1tE3OQ5046jeR62k8V2puU738sC4LM182mXYEE2jRjCzzEqg13A0YYG29Uy171384k1250Tk0r..xh6332Nt634sCX1532Dv1cfor 1z93fN9B1d898dJ5c7ufpz7S5201Zk3h3oQ4P9fa83pJQ6wvM05o131852D850O5WV9DaQ..455sm1H7m5e08qx35dS4K5zActdjG11R8CQDLKuP69K5tA1L2y74051vWG 2L75XA8e62Fds64d2O5Y4r0c2WH549M0M3b5uapJkD4iq9x9NZ00..919Z31z..GZ347IS74614T2bO2w00I5wI1Al2E059821n0s8E940ad19j997Rp3DT5i0Gqu82954 2p39G2Y1kHC275W4E7Q3Eqs2o28zRJ481126u5bh0v6U..070701IY2vTr5Mu8991255i..P9b64rG9j4IC30J31p603RdohU0306..18fS4p59290968Aa6U3x28l3Tar 0jB4a04052m01y4qy0yL49Q31W2Ss833Lj2W797Dc0isJJ8d120YN14oA362920eysUcKE..

C:\Users\user\AppData\Roaming\x1532c8256\uorkh.ico Process: C:\Users\user\Desktop\FAKE SSS ID-pdf.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 592 Entropy (8bit): 5.475910681503655 Encrypted: false MD5: 188CAB981235BAF3E70E91ACBA77A1F1 SHA1: C4AB248AF096C5F3E38B028DD12576C165F1D37B SHA-256: 521E70B46A69BD2265CD78B831183498AC8832378B27B70CE9101BA9B19BA07E SHA-512: 4A467764E9A4717ED2B4EBAED1451E4E20B24490D1A2789511AB9AA8C5C5A89223F4DE89EDB5F32CCAA0BECB46C4B93E0163579275B43E4EC51B1E0DFF288A E3 Malicious: false Reputation: low Preview: 3234D9eEmJBxeArw1Q8429v54b8WB788H6p1BHE7ar774m8PjjLq4D1947X..77cM4dJfrn924h3w9RXk1226rWA36H7F262n32v7c12N5G8foV91J6d2G3n4M59k93..6 Y4JG9G8767p032WO58ZzG931rb9n6U34136BI9Ns26mbZBhTc2C7h266U873f2F449V9496629140fXSuNc8E4..C8k64Rp55E284WZTZ7cF642TU0kQ5S19R7KNI310fX s3n6gK3T5Gz09A32EytJR5VVN6Ak40uRqW5g4157zt17X65Mva8Qpv0K46BM08IT695m17G70p..8Ic4689uj9n04RZrxlJnX8726kSO875o64954lnWj3Z711en0m..81 71l792s21Lpu6q818LQf9tx7e0g12O83244d91Iqn6148Q0Dric65C9g3zt1883m55r9KPc2j5nRqtmwsk7Jt06tT..5u1qdV6Ig51m6As3R5U478Y179M1xLB5En1HjLK 195V03m54d64L7u08b08u6s5c728CL12bd144Pb47vG7z1Yt445875uXU7sQ43zF8Sx32F..

C:\Users\user\AppData\Roaming\x1532c8256\wbgvokqlg.txt Process: C:\Users\user\Desktop\FAKE SSS ID-pdf.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 531 Entropy (8bit): 5.360952877678789 Encrypted: false MD5: D305F8E13E680CA8B9D42E67688E1C08 SHA1: CF9948565A036C975E949C4D83CB0F988C4BBEE3 SHA-256: DF768256609B9F89D54EBA3625C487619453F906EC16767AD87B4E4EF293A3B0 SHA-512: A5045DF9D88DB2F724009380265F50CB15EEDC0FE4A9A127245C77A3B5D0903CE935A823D9731F24BA55938869881E216ACA659BECB0354FBC56EAA35EA73861 Malicious: false Reputation: low Preview: B7Pm4b1du777A7uMESO2518OU55x595221AarV41U3U977ZurSS6039Pt0fl0Z7v2J1e3Lcsjru1S38678jw1k4jZTJz578e3Te7Ox8v509nF7582tn71th7f582MiG25J 9f..838y8703w582vk4844948qu66A1xw47067wpjVul8165gYSZL3b098o69894868K9yfuq1351K4Vr1p9P00R20mcx464Q9n37172HL0fI9uDvPY10504..87Ab7u78 138gn21rjzVVJJK428oq5J9J374429Wq0f2RG70gPc47..g2d7856u7H10Nrc39YM9r3W5d..w91o9IY90s68C80Mh323uHe879h35S119S3L3i63g6L0A1M938vE0939B 947..1Q2s7wp4MJNnv0K515U20gVn56f43RKWba9Bd2455Fv643dah48I55p2ZIj4Zn968kc391Pn9913CVo69731468I1ho65179B8gqW59G969a942901v322H40eq7y Qx5cQ04xb..

C:\Users\user\AppData\Roaming\x1532c8256\xdmoxvqa.cpl Process: C:\Users\user\Desktop\FAKE SSS ID-pdf.exe File Type: ASCII text, with very long lines, with CRLF line terminators Size (bytes): 317066 Entropy (8bit): 4.586944230490854 Encrypted: false MD5: 09BB7C1016838E303AC447FC6E802B58 SHA1: EE0F1EA862FC99BE39AFACC42A781CCE1E6F02E7 SHA-256: 1312D989D42208BF7E2AF95DF6CE8820CDD2C2A1FF31C19741D0BA99D2965FB7 SHA-512: A7175A138CD5F3DC0F4D136FACDE6F8AB5B296579F9328EEB08D85DF16E5177F1AF7867DF77F3B0D00636FA1FF9870AD03874BABE7B5B502C7934B18C3241122 Malicious: false Reputation: low Preview: U758keV21I993q72OK4107kBU0h190p1rgeD0KuDQWgRXh..N6ZxWXcN021J6H4hs7I6p3r652st7w8a82APR4580Ale42u4hG449d5361W8D..683F476ODJ37LLNU26G 05Kx09a73Q758nO18d..Pr4H8HY1qXUrt06Qm38xx6cAla104aVF4h2vpdk05m19b96557QK4T89Y239J5074zNGK0PGu..2oj5y56yyg959Qn10976w4m0Zy5MG2723.. 7f8Ef1adG6589ezcc749vqb7y717kVT4Ch7pxj2155n29U0by665KyQSmb4..7a16uT0sc8o7C5I7m28iM6DH4M52t61uhJ83B72..CYoun1XD3506BP0mo2cO32pomi38 92803378w22sk5h8829BU67..AS6KN5zOKbHSd1Fo769klAl1Q74I1r9x62uv6157H9EXrry3Q..452120L8FV6M53k1XQVCf68WD2QcH0180Z2kZ1R6m8HuTG2q7GD998 1H0..03iA87z9Q4zwMo0G5S1614p6M99OE2gmyUt8Hc45C2dY86Hnu8..K39hgo0EeLi6zf7t6xw1o0BWkC91I5ZM79226zN38d..59uWT1hOl62ln61NnC7FX72B926I6 3732enK326505Rs9nr2..6QFO87h491mw65W..a4F999Q7fbNb4272ySc0h28ta3K368PMM858437c40752b4y70047430130K..95R78muTp3k3d6008ij9D9039Odu8W rAaku..8xL0y30Vdm657w8A1c5tes2f83wtP56N482E77y6y4042oAgL513G624xx76x83y7..i10o2766Y282Qf21Vk771QHD0u9sKjKSs955ZSO3cL0qfyU94crps53g p81hk0..q671UCs8wc75Fl35hrQ5q8yb3cbs2LM4216C6B7j72dO7425D6pz28zLGbl79Hg..f68P55r483Y815V2c

C:\Users\user\AppData\Roaming\x1532c8256\xekltk.cpl Process: C:\Users\user\Desktop\FAKE SSS ID-pdf.exe File Type: ASCII text, with CRLF line terminators

Copyright Joe Security LLC 2020 Page 17 of 36 C:\Users\user\AppData\Roaming\x1532c8256\xekltk.cpl Size (bytes): 527 Entropy (8bit): 5.450070651179006 Encrypted: false MD5: C99EE4F39A796A1588154ABFD4938921 SHA1: 6C9D5670BB91126C423B249BBA000820DAEF6E4D SHA-256: 382C033CD15E8CB858F2D08B6D58003B17C77487703FC0812681E3C6B68FEA07 SHA-512: 7483D71BEC0D862B87699D928419E6C25BE428BF4542F0E9150A04BA90EFDD01022494302F782229E5FB719B0D6EA15C38B79A588D5C572EF5522394B1BC6FCC Malicious: false Reputation: low Preview: 8n76XCztE849lgZoAJ4512I0wP597Hj4bC7388cMOOT9BCy43qK9FITE3umV4533..y8IAXa094EC0V76sjt9543uReQ3XlyiaA56837l6uz7609p94G48ee8cm96I129f 53x6040YLj87c07WuBx..P76160D2oH2Tz196M271zan093Sq4Q85T612v4C6muk909P88732154T9vY106mW171g2U75l0c5688761730fu470gEe0j035778x36C221k nq8..0170268r53Y32PZ9Wr3GfMFiZ16n7rPaAr65x5k4xaImA74d993696Mp1578Y7hB875qJ6X3g68x95573u3H48sr9WfB53L4PlG8T8C444tio0zMOZJN2Lo5P5NEt P7R002q3r7cBI4s..35Urs6NN4y058KH7Ar73A35GVB86p7iRf285iym0G4Ta66C330138549g665f9z5hW3HVcbNiO5xWft7stbeQe41374I317T35z4M4FnpAn0Iicm7SnOv7..

C:\Users\user\AppData\Roaming\x1532c8256\xgpg.icm Process: C:\Users\user\Desktop\FAKE SSS ID-pdf.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 530 Entropy (8bit): 5.5363534111039785 Encrypted: false MD5: 4F2743B193E9AD2F717ADBC0EA5EEBC1 SHA1: 1AC69D215F17DD91FAD1C03C6EA142A7681709A7 SHA-256: 320A4FC64A93258022C7A720DE0813FE2327D1FFB036AAA3F16BC9111E92DE08 SHA-512: 307AD8F27095CE7CE98A43D3B6D10F68F5239EB3FB2D754C24A9F7842F4D465E650FE89FA9FDA718F404A6F7417D9A08BD91892DCAC349512BB790C580D7F0EE Malicious: false Reputation: low Preview: 379Ej6RvnE537E5..4vcYq233f8uI34o4jr1uF53tU8MJmTUew894..a5Xc6np4801Ou04411WuEU5T010617GF088N00X2HU90m89bR2kPXv2B2gi96I6xJLaNWT0k6v6 V1gF044430Z6geT5Yu0gQ0dE10WGw885J..31H7s3q0u866U8g95v271J77A8j8t515jJ9V0g074Y81J096J478666BQmp6K2a0s05uVV0Te9MFeQ74zF2Y5E6XT4C9410 kPjgH6TW3pUL69W26A0FXJ25T3791NE697t54..KrCE4O3sr9mr4D0f8xh34Y23t4TMC7Vz8ViN4..94L734MSc2yk4Pm5ySRf0hkh43P2E88c1ghZd93I50Jhx3CPxk64 Ve23iZ6rW4oGlVA546576V3u776n2C..p9Z6P7b3d0YHU85dFql4nVJ75092KXe1Gd5579iw3J2NUIG3iksKz60k0FGHadB19T3oN7G9S1421j6y7T6XA20rL4zkM066Le pH45180v..

C:\Users\user\AppData\Roaming\x1532c8256\xphca.cpl Process: C:\Users\user\Desktop\FAKE SSS ID-pdf.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 502 Entropy (8bit): 5.529895297726161 Encrypted: false MD5: C751B17A3FD86E3D7381A03FA4B58880 SHA1: 64F552E37245E60B5AE3EAA16290EDAFF3CE8C61 SHA-256: 5ACB73D7D73E3E42CE48BC952E55638FB22DCA63364B307A42E37F166B546E02 SHA-512: 9AB81BE238F96D133D41FC0028BD10024CECD6BBA392567A99643D60253A7766238D6CD9F0B55E60B0133B8ECD02DBA0295DFA23EAB6D3B3B6E413AD852B263 2 Malicious: false Reputation: low Preview: G4m10l61W7rv9Z3bz40CA7ADdS03KfA34O2Y1wYr84022ex12J67za0FQjPzbR310CS34H8H9L7I5..A0UQwB3Z1r9gg7t32NMks97L65B9kK76903847LRYi9z55R462w 858398d3X589..0mK3847v4p815004Urhk01c5g483Igc37..qw20XdAHD4D1HW4Y31R52r8N6I3paj69kSuA4j9s1ys2d2MW4q7RL845j8IO3V56ZTv82Ixk1e570568P 16IHZOG58WiI71Gcf..s22Z8P3R85FeBAL9xz0M201Q2604p9o27gs4Goo13OeR3C42wOtk74wVkP32n8S2P6V53y30Cu0sqWj6k233p0IU8F0k7X0jCdXJ4mAc7J8mCE9 nL8bfq852a9G85S0VAkW1d2..m9pBCeIOL6Z85RKh85wBa1m4G32s2rU3305U166cmb70ong5d4..595WAAd9H8X8qn9380s87Uw996wml6bUp..

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation secure.globalsign.net/cacert/PrimObject.crt0 oitpmotjn.exe.0.dr false 0%, Virustotal, Browse unknown Avira URL Cloud: safe secure.globalsign.net/cacert/ObjectSign.crt09 oitpmotjn.exe.0.dr false 0%, Virustotal, Browse unknown Avira URL Cloud: safe

Copyright Joe Security LLC 2020 Page 18 of 36 Name Source Malicious Antivirus Detection Reputation www.globalsign.net/repository09 oitpmotjn.exe.0.dr false 0%, Virustotal, Browse unknown Avira URL Cloud: safe www.autoitscript.com/autoit3/0 oitpmotjn.exe.0.dr false high www.globalsign.net/repository/0 oitpmotjn.exe.0.dr false 0%, Virustotal, Browse unknown Avira URL Cloud: safe www.globalsign.net/repository/03 oitpmotjn.exe.0.dr false 0%, Virustotal, Browse unknown URL Reputation: safe

Contacted IPs

No contacted IP infos

Static File Info

General File type: PE32 executable (GUI) Intel 80386, for MS Windows Entropy (8bit): 7.653484674261252 TrID: Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: FAKE SSS ID-pdf.exe File size: 1063012 MD5: 2dbd9d122837f67f8df785de70877a64 SHA1: 826c16f6da6a2adb497666265db34edf753ba113 SHA256: 31cbbc84325f431a941eed95f30c8d40728415c5507dd45 27bb4704fbf562231 SHA512: 9fc2aa5e6fb229dcdf28ad443c9cbd0ab0d2723d37f6017 6f8b2965652e709aa43a5e36bfd6d1444d0b472819416a6 a45e5666769fce78593dad2b51356227e1 SSDEEP: 24576:0NA3R5drX4mAjYjAGfY/xpA1g96SjbV4DQFUN BfP+k/T:V5ZAcjLY/xe1xEuDpNBfPz/T File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... ~...... b...... b..<....b...... )^...... %......

File Icon

Icon Hash: 6eecccccd6d2f2f2

Static PE Info

General Entrypoint: 0x41d759 Entrypoint Section: .text Digitally signed: false Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: 32BIT_MACHINE, EXECUTABLE_IMAGE DLL Characteristics: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT Time Stamp: 0x5CC4B58F [Sat Apr 27 20:03:27 2019 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 5 OS Version Minor: 1 File Version Major: 5 File Version Minor: 1 Subsystem Version Major: 5 Subsystem Version Minor: 1 Import Hash: 00be6e6c4f9e287672c8301b72bdabf3

Instruction call 00007F907879DBBFh jmp 00007F907879D5F3h cmp ecx, dword ptr [0043A1C8h] jne 00007F907879D765h ret jmp 00007F907879DD35h and dword ptr [ecx+04h], 00000000h mov eax, ecx and dword ptr [ecx+08h], 00000000h mov dword ptr [ecx+04h], 00430FE8h mov dword ptr [ecx], 00431994h ret push ebp mov ebp, esp push esi push dword ptr [ebp+08h] mov esi, ecx call 00007F9078790D0Bh mov dword ptr [esi], 004319A0h mov eax, esi pop esi pop ebp retn 0004h and dword ptr [ecx+04h], 00000000h mov eax, ecx and dword ptr [ecx+08h], 00000000h mov dword ptr [ecx+04h], 004319A8h mov dword ptr [ecx], 004319A0h ret push ebp mov ebp, esp sub esp, 0Ch lea ecx, dword ptr [ebp-0Ch] call 00007F907879D70Ch push 00437B74h lea eax, dword ptr [ebp-0Ch] push eax call 00007F907879FFF6h int3 push ebp mov ebp, esp sub esp, 0Ch lea ecx, dword ptr [ebp-0Ch] call 00007F907879D722h push 00437DA4h lea eax, dword ptr [ebp-0Ch] push eax call 00007F907879FFD9h int3 jmp 00007F90787A2025h jmp dword ptr [0043025Ch] int3 int3 int3 int3 int3 int3 int3 int3 int3 int3 int3

Copyright Joe Security LLC 2020 Page 20 of 36 Instruction int3 push 004209A0h push dword ptr fs:[00000000h] mov eax, dword ptr [esp+10h]

Rich Headers

Programming Language: [ C ] VS2008 SP1 build 30729 [EXP] VS2015 UPD3.1 build 24215 [LNK] VS2015 UPD3.1 build 24215 [IMP] VS2008 SP1 build 30729 [C++] VS2015 UPD3.1 build 24215 [RES] VS2015 UPD3 build 24213

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x38cc0 0x34 .rdata IMAGE_DIRECTORY_ENTRY_IMPORT 0x38cf4 0x3c .rdata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x5d000 0x1cf44 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x7a000 0x1fcc .reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0x36ee0 0x54 .rdata IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x31928 0x40 .rdata IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x30000 0x25c .rdata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x3824c 0x120 .rdata IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x2e854 0x2ea00 False 0.590891002011 data 6.69230972772 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rdata 0x30000 0x9a9c 0x9c00 False 0.457131410256 DOS executable (COM, 0x8C- 5.13286467456 IMAGE_SCN_CNT_INITIALIZED variant) _DATA, IMAGE_SCN_MEM_READ .data 0x3a000 0x213d0 0xc00 False 0.2802734375 data 3.25381103208 IMAGE_SCN_CNT_INITIALIZED _DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .gfids 0x5c000 0xe8 0x200 False 0.33984375 data 2.11154177446 IMAGE_SCN_CNT_INITIALIZED _DATA, IMAGE_SCN_MEM_READ .rsrc 0x5d000 0x1cf44 0x1d000 False 0.220122238685 data 4.85394778456 IMAGE_SCN_CNT_INITIALIZED _DATA, IMAGE_SCN_MEM_READ .reloc 0x7a000 0x1fcc 0x2000 False 0.794555664062 data 6.64554135223 IMAGE_SCN_CNT_INITIALIZED _DATA, IMAGE_SCN_MEM_DISCARDA BLE, IMAGE_SCN_MEM_READ

Resources

Name RVA Size Type Language Country PNG 0x5d5e4 0xb45 PNG image data, 93 x 302, 8-bit/color RGB, non- English United States interlaced PNG 0x5e12c 0x15a9 PNG image data, 186 x 604, 8-bit/color RGB, non- English United States interlaced RT_ICON 0x5f6d8 0x25a8 dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0 RT_ICON 0x61c80 0x10a8 dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0 RT_ICON 0x62d28 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0x63190 0x4228 dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0 Copyright Joe Security LLC 2020 Page 21 of 36 Name RVA Size Type Language Country RT_ICON 0x673b8 0x10828 dBase III DBT, version number 0, next free block index 40 RT_DIALOG 0x77be0 0x286 data English United States RT_DIALOG 0x77e68 0x13a data English United States RT_DIALOG 0x77fa4 0xec data English United States RT_DIALOG 0x78090 0x12e data English United States RT_DIALOG 0x781c0 0x338 data English United States RT_DIALOG 0x784f8 0x252 data English United States RT_STRING 0x7874c 0x1e2 data English United States RT_STRING 0x78930 0x1cc data English United States RT_STRING 0x78afc 0x1ee data English United States RT_STRING 0x78cec 0x146 Hitachi SH big-endian COFF object file, not stripped, English United States 17152 sections, symbol offset=0x73006500 RT_STRING 0x78e34 0x446 data English United States RT_STRING 0x7927c 0x166 data English United States RT_STRING 0x793e4 0x120 data English United States RT_STRING 0x79504 0x10a data English United States RT_STRING 0x79610 0xbc data English United States RT_STRING 0x796cc 0xd6 data English United States RT_GROUP_ICON 0x797a4 0x4c data RT_MANIFEST 0x797f0 0x753 XML 1.0 document, ASCII text, with CRLF line English United States terminators

Imports

DLL Import KERNEL32.dll GetLastError, SetLastError, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, GetTickCount, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer gdiplus.dll GdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

Possible Origin

Language of compilation system Country where language is spoken Map

English United States

Network Behavior

No network behavior found

Code Manipulations

Behavior

• FAKE SSS ID-pdf.exe • wscript.exe • oitpmotjn.exe

Click to jump to process

System Behavior

Analysis Process: FAKE SSS ID-pdf.exe PID: 3540 Parent PID: 3860

General

Start time: 14:44:39 Start date: 10/03/2020 Path: C:\Users\user\Desktop\FAKE SSS ID-pdf.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\FAKE SSS ID-pdf.exe' Imagebase: 0xeb0000 File size: 1063012 bytes MD5 hash: 2DBD9D122837F67F8DF785DE70877A64 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: low

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users read data or list device directory file | object name collision 1 EB9F03 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user read data or list device directory file | object name collision 1 EB9F03 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point

Copyright Joe Security LLC 2020 Page 23 of 36 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData read data or list device directory file | object name collision 1 EB9F03 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming read data or list device directory file | object name collision 1 EB9F03 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming\x1532c8256 read data or list device directory file | success or wait 1 EB9F03 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming\x1532c8256\__tmp_rar_sfx_acces read attributes | device synchronous io success or wait 1 EB95CF CreateFileW s_check_6042750 synchronize | non alert | non generic read | directory file generic write C:\Users\user\AppData\Roaming\x1532c8256\xdmoxvqa.cpl read attributes | device synchronous io success or wait 1 EB95CF CreateFileW synchronize | non alert | non generic write directory file C:\Users\user\AppData\Roaming\x1532c8256\jrbp.pbh read attributes | device synchronous io success or wait 1 EB95CF CreateFileW synchronize | non alert | non generic write directory file C:\Users\user\AppData\Roaming\x1532c8256\fdpqirllrb.vbs read attributes | device synchronous io success or wait 1 EB95CF CreateFileW synchronize | non alert | non generic write directory file C:\Users\user\AppData\Roaming\x1532c8256\oitpmotjn.exe read attributes | device synchronous io success or wait 1 EB95CF CreateFileW synchronize | non alert | non generic write directory file C:\Users\user\AppData\Roaming\x1532c8256\ogwl.exe read attributes | device synchronous io success or wait 1 EB95CF CreateFileW synchronize | non alert | non generic write directory file C:\Users\user\AppData\Roaming\x1532c8256\extqcuh.nls read attributes | device synchronous io success or wait 1 EB95CF CreateFileW synchronize | non alert | non generic write directory file C:\Users\user\AppData\Roaming\x1532c8256\nquhts.dat read attributes | device synchronous io success or wait 1 EB95CF CreateFileW synchronize | non alert | non generic write directory file C:\Users\user\AppData\Roaming\x1532c8256\anrohnefra.msc read attributes | device synchronous io success or wait 1 EB95CF CreateFileW synchronize | non alert | non generic write directory file C:\Users\user\AppData\Roaming\x1532c8256\glvtbtxfvr.xls read attributes | device synchronous io success or wait 1 EB95CF CreateFileW synchronize | non alert | non generic write directory file C:\Users\user\AppData\Roaming\x1532c8256\xgpg.icm read attributes | device synchronous io success or wait 1 EB95CF CreateFileW synchronize | non alert | non generic write directory file C:\Users\user\AppData\Roaming\x1532c8256\xphca.cpl read attributes | device synchronous io success or wait 1 EB95CF CreateFileW synchronize | non alert | non generic write directory file C:\Users\user\AppData\Roaming\x1532c8256\tcowvpfwv.msc read attributes | device synchronous io success or wait 1 EB95CF CreateFileW synchronize | non alert | non generic write directory file C:\Users\user\AppData\Roaming\x1532c8256\xekltk.cpl read attributes | device synchronous io success or wait 1 EB95CF CreateFileW synchronize | non alert | non generic write directory file C:\Users\user\AppData\Roaming\x1532c8256\wbgvokqlg.txt read attributes | device synchronous io success or wait 1 EB95CF CreateFileW synchronize | non alert | non generic write directory file C:\Users\user\AppData\Roaming\x1532c8256\rwucorxiun.xls read attributes | device synchronous io success or wait 1 EB95CF CreateFileW synchronize | non alert | non generic write directory file C:\Users\user\AppData\Roaming\x1532c8256\nccarmviuw.exe read attributes | device synchronous io success or wait 1 EB95CF CreateFileW synchronize | non alert | non generic write directory file C:\Users\user\AppData\Roaming\x1532c8256\uorkh.ico read attributes | device synchronous io success or wait 1 EB95CF CreateFileW synchronize | non alert | non generic write directory file C:\Users\user\AppData\Roaming\x1532c8256\ipjcrh.cpl read attributes | device synchronous io success or wait 1 EB95CF CreateFileW synchronize | non alert | non generic write directory file C:\Users\user\AppData\Roaming\x1532c8256\ebfgeul.dll read attributes | device synchronous io success or wait 1 EB95CF CreateFileW synchronize | non alert | non generic write directory file

Copyright Joe Security LLC 2020 Page 24 of 36 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Roaming\x1532c8256\iwlehr.nls read attributes | device synchronous io success or wait 1 EB95CF CreateFileW synchronize | non alert | non generic write directory file

File Deleted

Source File Path Completion Count Address Symbol C:\Users\user\AppData\Roaming\x1532c8256\__tmp_rar_sfx_access_check_6042750 success or wait 1 EB9E13 DeleteFileW

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\x1532c8256\xdmoxvqa.cpl unknown 317066 55 37 35 38 6b 65 56 U758keV21I993q72OK410 success or wait 1 EB9CA6 WriteFile 32 31 49 39 39 33 71 7kBU0h190 37 32 4f 4b 34 31 30 p1rgeD0KuDQWgRXh..N6 37 6b 42 55 30 68 31 ZxWXcN021J 39 30 70 31 72 67 65 6H4hs7I6p3r652st7w8a82 44 30 4b 75 44 51 57 APR4580A 67 52 58 68 0d 0a 4e le42u4hG449d5361W8D..6 36 5a 78 57 58 63 4e 83F476OD 30 32 31 4a 36 48 34 J37LLNU26G05Kx09a73Q 68 73 37 49 36 70 33 758nO18d.. 72 36 35 32 73 74 37 Pr4H8HY1qXUrt06Qm38x 77 38 61 38 32 41 50 x6cAla104a 52 34 35 38 30 41 6c VF4h2vpdk05m19b96557 65 34 32 75 34 68 47 QK4T89Y239 34 34 39 64 35 33 36 J5074zNGK0PGu..2oj5y56 31 57 38 44 0d 0a 36 yyg959Qn 38 33 46 34 37 36 4f 10976w4m0Zy5MG2 44 4a 33 37 4c 4c 4e 55 32 36 47 30 35 4b 78 30 39 61 37 33 51 37 35 38 6e 4f 31 38 64 0d 0a 50 72 34 48 38 48 59 31 71 58 55 72 74 30 36 51 6d 33 38 78 78 36 63 41 6c 61 31 30 34 61 56 46 34 68 32 76 70 64 6b 30 35 6d 31 39 62 39 36 35 35 37 51 4b 34 54 38 39 59 32 33 39 4a 35 30 37 34 7a 4e 47 4b 30 50 47 75 0d 0a 32 6f 6a 35 79 35 36 79 79 67 39 35 39 51 6e 31 30 39 37 36 77 34 6d 30 5a 79 35 4d 47 32

Copyright Joe Security LLC 2020 Page 25 of 36 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\x1532c8256\jrbp.pbh unknown 4191950 ff fe 3b 00 87 33 e5 c8 ..;..3..Of.9RW.|9.%_*...S.).. success or wait 38 EB9CA6 WriteFile 4f 66 d9 39 52 57 04 . 7c 39 00 25 5f 2a 95 ~w2T.2Z..n.H..G...... e..Zs.. 08 f2 53 a4 29 e2 bf d5 O...... 36.... bm.8.}\.J....m. 7e 77 32 54 f9 32 5a ..+0....#.c.s.%q4C...).}.y.... 06 dc 6e b2 48 fe bd .#t.4[..-.}...U.(.=.P...yo...f 47 b9 d5 94 b3 84 e0 ..16x...v...=r...... 3?.T}.b..S 65 80 f5 5a 73 9d e9 4f ....&..x./P..w.#...Kd...... 01 ae a0 d7 a3 b9 9c ff .y..U.$7..h .H....{.X..k.....) 13 33 36 b3 a0 2e 19 ....}...S.buV.. 20 62 6d d3 38 ca 7d 5c be 4a ed 12 01 a3 6d d6 08 8a 2b 30 0d 00 0a 00 23 00 63 00 73 00 25 71 34 43 88 a8 c5 29 00 7d a3 79 c2 80 0a d4 ce 23 74 94 34 5b c0 d1 2d ad 7d eb e8 ca 55 f7 28 fe 3d b4 50 04 b1 87 79 6f ee 9a eb 66 8f a8 31 36 78 aa aa 05 76 0a dc a5 3d 72 0d 00 0a 00 cc f5 33 3f 94 54 7d cd 62 ea 93 53 c5 a1 7f e0 26 1e a3 78 1b 2f 50 1f 1d 77 ff 23 07 9e 1a 4b 64 ec e7 f8 bb eb 2e c8 1e 97 e1 79 2e 07 55 fa 24 37 c8 15 68 20 b4 48 f5 c3 c6 91 7b d1 58 ce bc 6b a4 f7 0f 87 f9 29 ac f6 80 d0 7d 06 ec a1 53 81 62 75 56 a8 fe C:\Users\user\AppData\Roaming\x1532c8256\fdpqirllrb.vbs unknown 39100 ff fe 27 00 75 00 75 00 ..'.u.u.6.K.8.5.4.R.6.6.4.k.5 success or wait 1 EB9CA6 WriteFile 36 00 4b 00 38 00 35 . 00 34 00 52 00 36 00 4.S.g.5.u.0.9.0.9.C.Q.6.0. 36 00 34 00 6b 00 35 C.v. 00 34 00 53 00 67 00 4.9.8.1.4.3.U.z.3.q.M.2.....'. 35 00 75 00 30 00 39 5.8.2.4.h.B.8.S.4.3.F.4.7.m 00 30 00 39 00 43 00 .5. 51 00 36 00 30 00 43 3.7.3.M.7.n.9.4.9.5.l.S.7.z. 00 76 00 34 00 39 00 2. 38 00 31 00 34 00 33 1.4.3.u.E.8.7.3.5.5.3.3.L.2. 00 55 00 7a 00 33 00 O. 71 00 4d 00 32 00 0d 1.u.....'.C.8.X.7.2.0.O.m.l.6. 00 0a 00 27 00 35 00 U.8.4.z.6.Y.w.0.H.3.9.8.G. 38 00 32 00 34 00 68 z.D.6.D.g.4.e.2.p.1 00 42 00 38 00 53 00 34 00 33 00 46 00 34 00 37 00 6d 00 35 00 33 00 37 00 33 00 4d 00 37 00 6e 00 39 00 34 00 39 00 35 00 6c 00 53 00 37 00 7a 00 32 00 31 00 34 00 33 00 75 00 45 00 38 00 37 00 33 00 35 00 35 00 33 00 33 00 4c 00 32 00 4f 00 31 00 75 00 0d 00 0a 00 27 00 43 00 38 00 58 00 37 00 32 00 30 00 4f 00 6d 00 6c 00 36 00 55 00 38 00 34 00 7a 00 36 00 59 00 77 00 30 00 48 00 33 00 39 00 38 00 47 00 7a 00 44 00 36 00 44 00 67 00 34 00 65 00 32 00 70 00 31

Copyright Joe Security LLC 2020 Page 26 of 36 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\x1532c8256\oitpmotjn.exe unknown 65536 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 24 EB9CA6 WriteFile 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... 1b... 00 00 00 00 00 00 00 ....P.).....Q...... y...... i. 00 00 00 00 00 00 00 ...... }....N...... d...... 00 00 00 f8 00 00 00 `...... m...... g.....Rich.... 0e 1f ba 0e 00 b4 09 ...... PE..L.. cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c2 1e 94 bf 86 7f fa ec 86 7f fa ec 86 7f fa ec 15 31 62 ec 84 7f fa ec 9d e2 50 ec 29 7f fa ec 9d e2 51 ec b3 7f fa ec 8f 07 79 ec 8f 7f fa ec 8f 07 69 ec a7 7f fa ec 86 7f fb ec 96 7d fa ec 9d e2 4e ec ce 7f fa ec 9d e2 64 ec 9a 7f fa ec 9d e2 60 ec 87 7f fa ec 86 7f 6d ec 87 7f fa ec 9d e2 67 ec 87 7f fa ec 52 69 63 68 86 7f fa ec 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 C:\Users\user\AppData\Roaming\x1532c8256\ogwl.exe unknown 508 39 46 39 43 30 37 6b 9F9C07kk1c4Z87y6C98cF success or wait 1 EB9CA6 WriteFile 6b 31 63 34 5a 38 37 78fXUuH51 79 36 43 39 38 63 46 xqbv..9223t0935XvGCH5 37 38 66 58 55 75 48 GPUD3Ac30 35 31 78 71 62 76 0d 4v5W8W680s2X1KR20Kq 0a 39 32 32 33 74 30 X1eh5d69hs0 39 33 35 58 76 47 43 9I..m80v2o4CFc1410np9Z 48 35 47 50 55 44 33 sQ946Ab6 41 63 33 30 34 76 35 0F90470988kY63Vvt78866 57 38 57 36 38 30 73 06PL69q4 32 58 31 4b 52 32 30 lTlI6Q75je20p515opB5hrI0 4b 71 58 31 65 68 35 R7Zs2i 64 36 39 68 73 30 39 wUa3Tn3667205620z6252 49 0d 0a 6d 38 30 76 51361NXuP 32 6f 34 43 46 63 31 Sn8V6..BB6Y6Q6oqNq0ir4 34 31 30 6e 70 39 5a AZ5666B3 73 51 39 34 36 41 62 wK3m3NDFN3rNM69 36 30 46 39 30 34 37 30 39 38 38 6b 59 36 33 56 76 74 37 38 38 36 36 30 36 50 4c 36 39 71 34 6c 54 6c 49 36 51 37 35 6a 65 32 30 70 35 31 35 6f 70 42 35 68 72 49 30 52 37 5a 73 32 69 77 55 61 33 54 6e 33 36 36 37 32 30 35 36 32 30 7a 36 32 35 32 35 31 33 36 31 4e 58 75 50 53 6e 38 56 36 0d 0a 42 42 36 59 36 51 36 6f 71 4e 71 30 69 72 34 41 5a 35 36 36 36 42 33 77 4b 33 6d 33 4e 44 46 4e 33 72 4e 4d 36 39

Copyright Joe Security LLC 2020 Page 27 of 36 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\x1532c8256\extqcuh.nls unknown 517 66 42 6d 4f 4e 75 34 fBmONu429c81u0..z185ih success or wait 1 EB9CA6 WriteFile 32 39 63 38 31 75 30 4fr6G508 0d 0a 7a 31 38 35 69 451U401w05667x31WOFN 68 34 66 72 36 47 35 UCfTNFNG14 30 38 34 35 31 55 34 91v5R36Q6z81Fk7oxUCt3 30 31 77 30 35 36 36 uU1n851Ef 37 78 33 31 57 4f 46 MgxtBV98..37UGf942Xh6 4e 55 43 66 54 4e 46 78TAXN780 4e 47 31 34 39 31 76 0304U38w5K187857D0J95 35 52 33 36 51 36 7a l0x42H5YY 38 31 46 6b 37 6f 78 9J7BGXr6WUYODp4GKd 55 43 74 33 75 55 31 EbpI8le3556J 6e 38 35 31 45 66 4d uk238j09g2w58z10..3GCh 67 78 74 42 56 39 38 HaG0es3v 0d 0a 33 37 55 47 66 I2V0tU71ny..u5n4TXNpg7 39 34 32 58 68 36 37 534H6O61 38 54 41 58 4e 37 38 uh2r3mNIb155E34 30 30 33 30 34 55 33 38 77 35 4b 31 38 37 38 35 37 44 30 4a 39 35 6c 30 78 34 32 48 35 59 59 39 4a 37 42 47 58 72 36 57 55 59 4f 44 70 34 47 4b 64 45 62 70 49 38 6c 65 33 35 35 36 4a 75 6b 32 33 38 6a 30 39 67 32 77 35 38 7a 31 30 0d 0a 33 47 43 68 48 61 47 30 65 73 33 76 49 32 56 30 74 55 37 31 6e 79 0d 0a 75 35 6e 34 54 58 4e 70 67 37 35 33 34 48 36 4f 36 31 75 68 32 72 33 6d 4e 49 62 31 35 35 45 33 34 C:\Users\user\AppData\Roaming\x1532c8256\nquhts.dat unknown 566 64 32 39 39 70 79 67 d299pyg33474056448iUuj2 success or wait 1 EB9CA6 WriteFile 33 33 34 37 34 30 35 9Q3Cxxs 36 34 34 38 69 55 75 h6Yq3D79mREUZT5z14m 6a 32 39 51 33 43 78 52bh3gpZb1h 78 73 68 36 59 71 33 1l913z7ku48F43E6..f3IlP 44 37 39 6d 52 45 55 W9IH7i0 5a 54 35 7a 31 34 6d Dd7B3jmWhTU30D393645 35 32 62 68 33 67 70 H3lI50Z3N2 5a 62 31 68 31 6c 39 HOg8FIciCu57290C86SiQ 31 33 7a 37 6b 75 34 503V69sU2 38 46 34 33 45 36 0d 149Vsu65XbQxN3f4JS30q 0a 66 33 49 6c 50 57 75..39yAL 39 49 48 37 69 30 44 57Bttwf705GlY55fu8u8YfO 64 37 42 33 6a 6d 57 72yp8hu 68 54 55 33 30 44 33 84n3E479a274t6w50S5XR 39 33 36 34 35 48 33 In88ye514 6c 49 35 30 5a 33 4e 124jo35w4Az4b8T 32 48 4f 67 38 46 49 63 69 43 75 35 37 32 39 30 43 38 36 53 69 51 35 30 33 56 36 39 73 55 32 31 34 39 56 73 75 36 35 58 62 51 78 4e 33 66 34 4a 53 33 30 71 37 35 0d 0a 33 39 79 41 4c 35 37 42 74 74 77 66 37 30 35 47 6c 59 35 35 66 75 38 75 38 59 66 4f 37 32 79 70 38 68 75 38 34 6e 33 45 34 37 39 61 32 37 34 74 36 77 35 30 53 35 58 52 49 6e 38 38 79 65 35 31 34 31 32 34 6a 6f 33 35 77 34 41 7a 34 62 38 54

Copyright Joe Security LLC 2020 Page 28 of 36 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\x1532c8256\anrohnefra.msc unknown 573 6d 35 42 38 35 35 39 m5B8559k74kXhJ92ad5x3 success or wait 1 EB9CA6 WriteFile 6b 37 34 6b 58 68 4a 8x717xx74 39 32 61 64 35 78 33 6x7NgxWn32h9Z1AESeO 38 78 37 31 37 78 78 y340K2AGp75 37 34 36 78 37 4e 67 C7718W74z5t3r9..r81A906 78 57 6e 33 32 68 39 707Lg40 5a 31 41 45 53 65 4f b3e336714ISvA34Mu807m 79 33 34 30 4b 32 41 804L9537d 47 70 37 35 43 37 37 6s32BVDzN8bf7vnl31199d 31 38 57 37 34 7a 35 WO6FPgV5 74 33 72 39 0d 0a 72 8HPBQ..SL85A282tS8WW 38 31 41 39 30 36 37 08VW5046Sc 30 37 4c 67 34 30 62 8e1971L0Mw2YS6DX62v7 33 65 33 33 36 37 31 a48WN825G7 34 49 53 76 41 33 34 86UT185IJ6X741IX03Ie8Q 4d 75 38 30 37 6d 38 30N897jP 30 34 4c 39 35 33 37 EuB52V2133Ma35t 64 36 73 33 32 42 56 44 7a 4e 38 62 66 37 76 6e 6c 33 31 31 39 39 64 57 4f 36 46 50 67 56 35 38 48 50 42 51 0d 0a 53 4c 38 35 41 32 38 32 74 53 38 57 57 30 38 56 57 35 30 34 36 53 63 38 65 31 39 37 31 4c 30 4d 77 32 59 53 36 44 58 36 32 76 37 61 34 38 57 4e 38 32 35 47 37 38 36 55 54 31 38 35 49 4a 36 58 37 34 31 49 58 30 33 49 65 38 51 33 30 4e 38 39 37 6a 50 45 75 42 35 32 56 32 31 33 33 4d 61 33 35 74 C:\Users\user\AppData\Roaming\x1532c8256\glvtbtxfvr.xls unknown 615 36 35 33 37 51 6d 38 6537Qm8610z0er5Gs4q3g success or wait 1 EB9CA6 WriteFile 36 31 30 7a 30 65 72 dj06OV4Ul 35 47 73 34 71 33 67 tGV974U4..a030sL7Jzocg 64 6a 30 36 4f 56 34 Kv82v42E 55 6c 74 47 56 39 37 lECc6r5739nuY3700w8Y1 34 55 34 0d 0a 61 30 548i6632r 33 30 73 4c 37 4a 7a QyAesvit7C9pbtAM3B9Q 6f 63 67 4b 76 38 32 G8CQ9..B5i 76 34 32 45 6c 45 43 63S808p7aLj3kse9r9159m 63 36 72 35 37 33 39 8qs28900 6e 75 59 33 37 30 30 O42E76l5dPgde33k9s6edi 77 38 59 31 35 34 38 kQx2K3x6 69 36 36 33 32 72 51 ogB95yC291B3..NiKb5x7g 79 41 65 73 76 69 74 uLn27x9H 37 43 39 70 62 74 41 2fDd2B791v17U4251d779 4d 33 42 39 51 47 38 M9l9cx09c 43 51 39 0d 0a 42 35 97906073Gk5fq59 69 36 33 53 38 30 38 70 37 61 4c 6a 33 6b 73 65 39 72 39 31 35 39 6d 38 71 73 32 38 39 30 30 4f 34 32 45 37 36 6c 35 64 50 67 64 65 33 33 6b 39 73 36 65 64 69 6b 51 78 32 4b 33 78 36 6f 67 42 39 35 79 43 32 39 31 42 33 0d 0a 4e 69 4b 62 35 78 37 67 75 4c 6e 32 37 78 39 48 32 66 44 64 32 42 37 39 31 76 31 37 55 34 32 35 31 64 37 37 39 4d 39 6c 39 63 78 30 39 63 39 37 39 30 36 30 37 33 47 6b 35 66 71 35 39

Copyright Joe Security LLC 2020 Page 29 of 36 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\x1532c8256\xgpg.icm unknown 530 33 37 39 45 6a 36 52 379Ej6RvnE537E5..4vcYq success or wait 1 EB9CA6 WriteFile 76 6e 45 35 33 37 45 233f8uI3 35 0d 0a 34 76 63 59 4o4jr1uF53tU8MJmTUew8 71 32 33 33 66 38 75 94..a5Xc6 49 33 34 6f 34 6a 72 np4801Ou04411WuEU5T0 31 75 46 35 33 74 55 10617GF088 38 4d 4a 6d 54 55 65 N00X2HU90m89bR2kPXv 77 38 39 34 0d 0a 61 2B2gi96I6xJ 35 58 63 36 6e 70 34 LaNWT0k6v6V1gF044430 38 30 31 4f 75 30 34 Z6geT5Yu0g 34 31 31 57 75 45 55 Q0dE10WGw885J..31H7s 35 54 30 31 30 36 31 3q0u866U8g 37 47 46 30 38 38 4e 95v271J77A8j8t515jJ9V0g 30 30 58 32 48 55 39 074Y81J 30 6d 38 39 62 52 32 096J478666BQmp6K2a0s 6b 50 58 76 32 42 32 05uVV0Te9M 67 69 39 36 49 36 78 FeQ74zF2Y5E6XT4 4a 4c 61 4e 57 54 30 6b 36 76 36 56 31 67 46 30 34 34 34 33 30 5a 36 67 65 54 35 59 75 30 67 51 30 64 45 31 30 57 47 77 38 38 35 4a 0d 0a 33 31 48 37 73 33 71 30 75 38 36 36 55 38 67 39 35 76 32 37 31 4a 37 37 41 38 6a 38 74 35 31 35 6a 4a 39 56 30 67 30 37 34 59 38 31 4a 30 39 36 4a 34 37 38 36 36 36 42 51 6d 70 36 4b 32 61 30 73 30 35 75 56 56 30 54 65 39 4d 46 65 51 37 34 7a 46 32 59 35 45 36 58 54 34 C:\Users\user\AppData\Roaming\x1532c8256\xphca.cpl unknown 502 47 34 6d 31 30 6c 36 G4m10l61W7rv9Z3bz40C success or wait 1 EB9CA6 WriteFile 31 57 37 72 76 39 5a A7ADdS03Kf 33 62 7a 34 30 43 41 A34O2Y1wYr84022ex12J6 37 41 44 64 53 30 33 7za0FQjPz 4b 66 41 33 34 4f 32 bR310CS34H8H9L7I5..A0 59 31 77 59 72 38 34 UQwB3Z1r9 30 32 32 65 78 31 32 gg7t32NMks97L65B9kK76 4a 36 37 7a 61 30 46 903847LRY 51 6a 50 7a 62 52 33 i9z55R462w858398d3X589 31 30 43 53 33 34 48 ..0mK384 38 48 39 4c 37 49 35 7v4p815004Urhk01c5g483 0d 0a 41 30 55 51 77 Igc37..q 42 33 5a 31 72 39 67 w20XdAHD4D1HW4Y31R5 67 37 74 33 32 4e 4d 2r8N6I3paj6 6b 73 39 37 4c 36 35 9kSuA4j9s1ys2d2MW4q7 42 39 6b 4b 37 36 39 RL845j8IO3 30 33 38 34 37 4c 52 V56ZTv82Ixk1e57 59 69 39 7a 35 35 52 34 36 32 77 38 35 38 33 39 38 64 33 58 35 38 39 0d 0a 30 6d 4b 33 38 34 37 76 34 70 38 31 35 30 30 34 55 72 68 6b 30 31 63 35 67 34 38 33 49 67 63 33 37 0d 0a 71 77 32 30 58 64 41 48 44 34 44 31 48 57 34 59 33 31 52 35 32 72 38 4e 36 49 33 70 61 6a 36 39 6b 53 75 41 34 6a 39 73 31 79 73 32 64 32 4d 57 34 71 37 52 4c 38 34 35 6a 38 49 4f 33 56 35 36 5a 54 76 38 32 49 78 6b 31 65 35 37

Copyright Joe Security LLC 2020 Page 30 of 36 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\x1532c8256\tcowvpfwv.msc unknown 592 41 37 67 39 38 31 7a A7g981z42zl29658F97i039 success or wait 1 EB9CA6 WriteFile 34 32 7a 6c 32 39 36 1C4C3u1 35 38 46 39 37 69 30 tE3OQ5046jeR62k8V2puU 33 39 31 43 34 43 33 738sC4LM1 75 31 74 45 33 4f 51 82mXYEE2jRjCzzEqg13A 35 30 34 36 6a 65 52 0YYG29Uy17 36 32 6b 38 56 32 70 1384k1250Tk0r..xh6332Nt 75 55 37 33 38 73 43 634sCX1 34 4c 4d 31 38 32 6d 532Dv1cfor1z93fN9B1d89 58 59 45 45 32 6a 52 8dJ5c7uf 6a 43 7a 7a 45 71 67 pz7S5201Zk3h3oQ4P9fa8 31 33 41 30 59 59 47 3pJQ6wvM0 32 39 55 79 31 37 31 5o131852D850O5WV9Da 33 38 34 6b 31 32 35 Q..455sm1H7 30 54 6b 30 72 0d 0a m5e08qx35dS4K5zActdjG 78 68 36 33 33 32 4e 11R8CQDLK 74 36 33 34 73 43 58 uP69K5tA1L2y740 31 35 33 32 44 76 31 63 66 6f 72 31 7a 39 33 66 4e 39 42 31 64 38 39 38 64 4a 35 63 37 75 66 70 7a 37 53 35 32 30 31 5a 6b 33 68 33 6f 51 34 50 39 66 61 38 33 70 4a 51 36 77 76 4d 30 35 6f 31 33 31 38 35 32 44 38 35 30 4f 35 57 56 39 44 61 51 0d 0a 34 35 35 73 6d 31 48 37 6d 35 65 30 38 71 78 33 35 64 53 34 4b 35 7a 41 63 74 64 6a 47 31 31 52 38 43 51 44 4c 4b 75 50 36 39 4b 35 74 41 31 4c 32 79 37 34 30 C:\Users\user\AppData\Roaming\x1532c8256\xekltk.cpl unknown 527 38 6e 37 36 58 43 7a 8n76XCztE849lgZoAJ4512 success or wait 1 EB9CA6 WriteFile 74 45 38 34 39 6c 67 I0wP597H 5a 6f 41 4a 34 35 31 j4bC7388cMOOT9BCy43q 32 49 30 77 50 35 39 K9FITE3umV 37 48 6a 34 62 43 37 4533..y8IAXa094EC0V76s 33 38 38 63 4d 4f 4f jt9543uR 54 39 42 43 79 34 33 eQ3XlyiaA56837l6uz7609p 71 4b 39 46 49 54 45 94G48ee 33 75 6d 56 34 35 33 8cm96I129f53x6040YLj87 33 0d 0a 79 38 49 41 c07WuBx. 58 61 30 39 34 45 43 .P76160D2oH2Tz196M271 30 56 37 36 73 6a 74 zan093Sq4 39 35 34 33 75 52 65 Q85T612v4C6muk909P88 51 33 58 6c 79 69 61 732154T9vY 41 35 36 38 33 37 6c 106mW171g2U75l0c56887 36 75 7a 37 36 30 39 61730fu47 70 39 34 47 34 38 65 0gEe0j035778x36 65 38 63 6d 39 36 49 31 32 39 66 35 33 78 36 30 34 30 59 4c 6a 38 37 63 30 37 57 75 42 78 0d 0a 50 37 36 31 36 30 44 32 6f 48 32 54 7a 31 39 36 4d 32 37 31 7a 61 6e 30 39 33 53 71 34 51 38 35 54 36 31 32 76 34 43 36 6d 75 6b 39 30 39 50 38 38 37 33 32 31 35 34 54 39 76 59 31 30 36 6d 57 31 37 31 67 32 55 37 35 6c 30 63 35 36 38 38 37 36 31 37 33 30 66 75 34 37 30 67 45 65 30 6a 30 33 35 37 37 38 78 33 36

Copyright Joe Security LLC 2020 Page 31 of 36 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\x1532c8256\wbgvokqlg.txt unknown 531 42 37 50 6d 34 62 31 B7Pm4b1du777A7uMESO success or wait 1 EB9CA6 WriteFile 64 75 37 37 37 41 37 2518OU55x59 75 4d 45 53 4f 32 35 5221AarV41U3U977ZurSS 31 38 4f 55 35 35 78 6039Pt0fl 35 39 35 32 32 31 41 0Z7v2J1e3Lcsjru1S38678j 61 72 56 34 31 55 33 w1k4jZT 55 39 37 37 5a 75 72 Jz578e3Te7Ox8v509nF75 53 53 36 30 33 39 50 82tn71th7 74 30 66 6c 30 5a 37 f582MiG25J9f..838y8703w 76 32 4a 31 65 33 4c 582vk48 63 73 6a 72 75 31 53 44948qu66A1xw47067wpj 33 38 36 37 38 6a 77 Vul8165gY 31 6b 34 6a 5a 54 4a SZL3b098o69894868K9yfu 7a 35 37 38 65 33 54 q1351K4V 65 37 4f 78 38 76 35 r1p9P00R20mcx464Q9n37 30 39 6e 46 37 35 38 172HL0fI9 32 74 6e 37 31 74 68 uDvPY10504..87A 37 66 35 38 32 4d 69 47 32 35 4a 39 66 0d 0a 38 33 38 79 38 37 30 33 77 35 38 32 76 6b 34 38 34 34 39 34 38 71 75 36 36 41 31 78 77 34 37 30 36 37 77 70 6a 56 75 6c 38 31 36 35 67 59 53 5a 4c 33 62 30 39 38 6f 36 39 38 39 34 38 36 38 4b 39 79 66 75 71 31 33 35 31 4b 34 56 72 31 70 39 50 30 30 52 32 30 6d 63 78 34 36 34 51 39 6e 33 37 31 37 32 48 4c 30 66 49 39 75 44 76 50 59 31 30 35 30 34 0d 0a 38 37 41 C:\Users\user\AppData\Roaming\x1532c8256\rwucorxiun.xls unknown 544 38 72 31 62 33 30 68 8r1b30hcO87934BZ13g7G success or wait 1 EB9CA6 WriteFile 63 4f 38 37 39 33 34 1Ga3Y91i4 42 5a 31 33 67 37 47 tMR73t9avA6167t6n99H4 31 47 61 33 59 39 31 K049086Y2 69 34 74 4d 52 37 33 0rfwdTTM63b4pcW7gb2B7 74 39 61 76 41 36 31 f6uul897Q 36 37 74 36 6e 39 39 16N035Av3t3451Q8j..UhW 48 34 4b 30 34 39 30 d0v83208 38 36 59 32 30 72 66 15i61j1kGO5L7OWy45632 77 64 54 54 4d 36 33 1z405H4MI 62 34 70 63 57 37 67 PI7BmU6P5p33687dsne0k 62 32 42 37 66 36 75 Y27ek1EY6 75 6c 38 39 37 51 31 00Oqji63D6YgHEd51t2kag 36 4e 30 33 35 41 76 710y842m 33 74 33 34 35 31 51 4001qdMB5..43E01i6ir027 38 6a 0d 0a 55 68 57 L06Ip8x9ELtZH5S27q6xL8 64 30 76 38 33 32 30 38 31 35 69 36 31 6a 31 6b 47 4f 35 4c 37 4f 57 79 34 35 36 33 32 31 7a 34 30 35 48 34 4d 49 50 49 37 42 6d 55 36 50 35 70 33 33 36 38 37 64 73 6e 65 30 6b 59 32 37 65 6b 31 45 59 36 30 30 4f 71 6a 69 36 33 44 36 59 67 48 45 64 35 31 74 32 6b 61 67 37 31 30 79 38 34 32 6d 34 30 30 31 71 64 4d 42 35 0d 0a 34 33 45 30 31 69 36 69 72 30 32 37 4c 30 36 49 70 38 78 39 45 4c 74 5a 48 35 53 32 37 71 36 78 4c 38

Copyright Joe Security LLC 2020 Page 32 of 36 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\x1532c8256\nccarmviuw.exe unknown 523 30 30 32 37 71 32 4d 0027q2M15tW5mW9Cw..L success or wait 1 EB9CA6 WriteFile 31 35 74 57 35 6d 57 zs63KA2zD7 39 43 77 0d 0a 4c 7a ..4x4204Mr46J1F73zOpdE 73 36 33 4b 41 32 7a 2Y06208. 44 37 0d 0a 34 78 34 .e2GEonn74768b0L76RK6 32 30 34 4d 72 34 36 1422..t75 4a 31 46 37 33 7a 4f F0As70a3D43DZsI329JzE 70 64 45 32 59 30 36 l438h9Iha 32 30 38 0d 0a 65 32 2yO4Bc025MH504oIKI0D4 47 45 6f 6e 6e 37 34 OLL5tjNyg 37 36 38 62 30 4c 37 47aQ201v5P9OzT84v3gb6 36 52 4b 36 31 34 32 f29n4F3Z9 32 0d 0a 74 37 35 46 5Y9PS5290MWC059159N 30 41 73 37 30 61 33 82OKp0qWtqW 44 34 33 44 5a 73 49 n69o28Zl0778j77o1000c21 33 32 39 4a 7a 45 6c oH1R8i6 34 33 38 68 39 49 68 8etYbsa6138hAc7 61 32 79 4f 34 42 63 30 32 35 4d 48 35 30 34 6f 49 4b 49 30 44 34 4f 4c 4c 35 74 6a 4e 79 67 34 37 61 51 32 30 31 76 35 50 39 4f 7a 54 38 34 76 33 67 62 36 66 32 39 6e 34 46 33 5a 39 35 59 39 50 53 35 32 39 30 4d 57 43 30 35 39 31 35 39 4e 38 32 4f 4b 70 30 71 57 74 71 57 6e 36 39 6f 32 38 5a 6c 30 37 37 38 6a 37 37 6f 31 30 30 30 63 32 31 6f 48 31 52 38 69 36 38 65 74 59 62 73 61 36 31 33 38 68 41 63 37 C:\Users\user\AppData\Roaming\x1532c8256\uorkh.ico unknown 592 33 32 33 34 44 39 65 3234D9eEmJBxeArw1Q84 success or wait 1 EB9CA6 WriteFile 45 6d 4a 42 78 65 41 29v54b8WB7 72 77 31 51 38 34 32 88H6p1BHE7ar774m8PjjL 39 76 35 34 62 38 57 q4D1947X. 42 37 38 38 48 36 70 .77cM4dJfrn924h3w9RXk1 31 42 48 45 37 61 72 226rWA36 37 37 34 6d 38 50 6a H7F262n32v7c12N5G8foV 6a 4c 71 34 44 31 39 91J6d2G3n 34 37 58 0d 0a 37 37 4M59k93..6Y4JG9G8767p 63 4d 34 64 4a 66 72 032WO58Zz 6e 39 32 34 68 33 77 G931rb9n6U34136BI9Ns2 39 52 58 6b 31 32 32 6mbZBhTc2 36 72 57 41 33 36 48 C7h266U873f2F449V9496 37 46 32 36 32 6e 33 629140fXS 32 76 37 63 31 32 4e uNc8E4..C8k64Rp55E284 35 47 38 66 6f 56 39 WZTZ7cF64 31 4a 36 64 32 47 33 2TU0kQ5S19R7KNI 6e 34 4d 35 39 6b 39 33 0d 0a 36 59 34 4a 47 39 47 38 37 36 37 70 30 33 32 57 4f 35 38 5a 7a 47 39 33 31 72 62 39 6e 36 55 33 34 31 33 36 42 49 39 4e 73 32 36 6d 62 5a 42 68 54 63 32 43 37 68 32 36 36 55 38 37 33 66 32 46 34 34 39 56 39 34 39 36 36 32 39 31 34 30 66 58 53 75 4e 63 38 45 34 0d 0a 43 38 6b 36 34 52 70 35 35 45 32 38 34 57 5a 54 5a 37 63 46 36 34 32 54 55 30 6b 51 35 53 31 39 52 37 4b 4e 49

Copyright Joe Security LLC 2020 Page 33 of 36 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\x1532c8256\ipjcrh.cpl unknown 597 55 63 31 36 31 57 39 Uc161W91a97243ZSD9O6 success or wait 1 EB9CA6 WriteFile 31 61 39 37 32 34 33 6n86t7Q60Z 5a 53 44 39 4f 36 36 55VW5MJJRbIb4rGi..3zN9 6e 38 36 74 37 51 36 378L38l8 30 5a 35 35 56 57 35 YR0j705FbtKN5AZwy80fU 4d 4a 4a 52 62 49 62 09781hg3u 34 72 47 69 0d 0a 33 2I50HTFu5ur8or708lwv7W 7a 4e 39 33 37 38 4c 42jPXpo4 33 38 6c 38 59 52 30 JWwq8Hb1o5cvv446i064t5 6a 37 30 35 46 62 74 L7835967 4b 4e 35 41 5a 77 79 7F15k90lBuM2aepnS77S3 38 30 66 55 30 39 37 80106Wx6D 38 31 68 67 33 75 32 76S873DygRlgVh05068ye. 49 35 30 48 54 46 75 .731826d 35 75 72 38 6f 72 37 3j6O62xw81H5755J2651w 30 38 6c 77 76 37 57 o6P108417 34 32 6a 50 58 70 6f 6e..5Aq1C4Q6eR3 34 4a 57 77 71 38 48 62 31 6f 35 63 76 76 34 34 36 69 30 36 34 74 35 4c 37 38 33 35 39 36 37 37 46 31 35 6b 39 30 6c 42 75 4d 32 61 65 70 6e 53 37 37 53 33 38 30 31 30 36 57 78 36 44 37 36 53 38 37 33 44 79 67 52 6c 67 56 68 30 35 30 36 38 79 65 0d 0a 37 33 31 38 32 36 64 33 6a 36 4f 36 32 78 77 38 31 48 35 37 35 35 4a 32 36 35 31 77 6f 36 50 31 30 38 34 31 37 36 65 0d 0a 35 41 71 31 43 34 51 36 65 52 33 C:\Users\user\AppData\Roaming\x1532c8256\ebfgeul.dll unknown 578 58 35 6e 78 4b 61 42 X5nxKaB9rtfuLKpQ9101J1 success or wait 1 EB9CA6 WriteFile 39 72 74 66 75 4c 4b 97rp2..5 70 51 39 31 30 31 4a i8t0O7lTW498I16B83z5p3 31 39 37 72 70 32 0d d205547N 0a 35 69 38 74 30 4f z142j3531z3Ue242964c15 37 6c 54 57 34 39 38 36296xc3 49 31 36 42 38 33 7a g307ZBdZ79Kyvb2gYHU4 35 70 33 64 32 30 35 4234dL1Zky 35 34 37 4e 7a 31 34 05L8uJW8259w9g22s549l 32 6a 33 35 33 31 7a 5s8ZgYz46 33 55 65 32 34 32 39 K28l6Cc3AGPnGs488..9u 36 34 63 31 35 33 36 pi1745D16 32 39 36 78 63 33 67 twjbkChrniR0nAoL86GrUd 33 30 37 5a 42 64 5a 4H9Nqh9b 37 39 4b 79 76 62 32 FapXi4w8g018MR89DcZG 67 59 48 55 34 34 32 9b5P36qc28 33 34 64 4c 31 5a 6b x7M9DSs72..Bomc 79 30 35 4c 38 75 4a 57 38 32 35 39 77 39 67 32 32 73 35 34 39 6c 35 73 38 5a 67 59 7a 34 36 4b 32 38 6c 36 43 63 33 41 47 50 6e 47 73 34 38 38 0d 0a 39 75 70 69 31 37 34 35 44 31 36 74 77 6a 62 6b 43 68 72 6e 69 52 30 6e 41 6f 4c 38 36 47 72 55 64 34 48 39 4e 71 68 39 62 46 61 70 58 69 34 77 38 67 30 31 38 4d 52 38 39 44 63 5a 47 39 62 35 50 33 36 71 63 32 38 78 37 4d 39 44 53 73 37 32 0d 0a 42 6f 6d 63

Copyright Joe Security LLC 2020 Page 34 of 36 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\x1532c8256\iwlehr.nls unknown 506 35 51 36 49 79 35 39 5Q6Iy592BdP2161O1kAZ success or wait 1 EB9CA6 WriteFile 32 42 64 50 32 31 36 1315LQpRG2 31 4f 31 6b 41 5a 31 e0NjFhjl6I3MGV4xkDbPf6 33 31 35 4c 51 70 52 p9b4Nj6A 47 32 65 30 4e 6a 46 nxnkd8A2325i1TN4C800P 68 6a 6c 36 49 33 4d 5J6f65Iu4 47 56 34 78 6b 44 62 KA6453j1lQ0810Orft6onw3 50 66 36 70 39 62 34 e08064j 4e 6a 36 41 6e 78 6e I64p..z1z0nQLcl7I..DS91u 6b 64 38 41 32 33 32 16pc0H 35 69 31 54 4e 34 43 QKU686T72H409M210420 38 30 30 50 35 4a 36 m9Dw1zYO8s 66 36 35 49 75 34 4b s7Vhw65uZ4GK4Te20H8k 41 36 34 35 33 6a 31 s29q2d1Yg6 6c 51 30 38 31 30 4f 8t69Cce1v1jvOxfZF0JD25 72 66 74 36 6f 6e 77 Kab6y179 33 65 30 38 30 36 34 3r5h..M4Td6l57M 6a 49 36 34 70 0d 0a 7a 31 7a 30 6e 51 4c 63 6c 37 49 0d 0a 44 53 39 31 75 31 36 70 63 30 48 51 4b 55 36 38 36 54 37 32 48 34 30 39 4d 32 31 30 34 32 30 6d 39 44 77 31 7a 59 4f 38 73 73 37 56 68 77 36 35 75 5a 34 47 4b 34 54 65 32 30 48 38 6b 73 32 39 71 32 64 31 59 67 36 38 74 36 39 43 63 65 31 76 31 6a 76 4f 78 66 5a 46 30 4a 44 32 35 4b 61 62 36 79 31 37 39 33 72 35 68 0d 0a 4d 34 54 64 36 6c 35 37 4d

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Users\user\Desktop\FAKE SSS ID-pdf.exe unknown 8192 success or wait 137 EB9691 ReadFile

Registry Activities

Source Key Path Name Type Data Completion Count Address Symbol

Analysis Process: wscript.exe PID: 3624 Parent PID: 3540

General

Start time: 14:44:45 Start date: 10/03/2020 Path: C:\Windows\SysWOW64\wscript.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\x1532c8256\fdpq irllrb.vbs' Imagebase: 0x1180000 File size: 147456 bytes MD5 hash: 7075DD7B9BE8807FCA93ACD86F724884 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol Copyright Joe Security LLC 2020 Page 35 of 36 Registry Activities

Source Key Path Name Type Old Data New Data Completion Count Address Symbol

Analysis Process: oitpmotjn.exe PID: 1684 Parent PID: 3624

General

Start time: 14:44:48 Start date: 10/03/2020 Path: C:\Users\user\AppData\Roaming\x1532c8256\oitpmotjn.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\AppData\Roaming\x1532c8256\oitpmotjn.exe' jrbp.pbh Imagebase: 0xe0000 File size: 700144 bytes MD5 hash: AFE972E9214C8B5E9B24FBE665CE5A89 Has administrator privileges: false Programmed in: C, C++ or other language Antivirus matches: Detection: 38%, Virustotal, Browse Detection: 43%, ReversingLabs Reputation: low

Disassembly

Code Analysis