Automated Malware Analysis Report for vnMQDhyZya.bin

ID: 450141Sample Name:vnMQDhyZya.binCookbook: default.jbsTime: 00:31:14Date: 17/07/2021Version: 33.0.0 White Diamond

233333333356666666677888899999999

1010101010101010101111111111111212121212

121212121212131313

1313

Table of Contents

Table of ContentsWindows Analysis Report vnMQDhyZya.bin

OverviewGeneral InformationDetectionSignaturesClassification

Process TreeMalware Configuration

Threatname: CryLockYara Overview

Dropped FilesMemory Dumps

Sigma OverviewJbx Signature Overview

AV Detection:Spam, unwanted Advertisements and Ransom Demands:Hooking and other Techniques for Hiding and Protection:Malware Analysis System Evasion:

Mitre Att&ck MatrixBehavior GraphScreenshots

ThumbnailsAntivirus, Machine Learning and Genetic Malware Detection

Initial SampleDropped FilesUnpacked PE FilesDomainsURLs

Domains and IPsContacted DomainsContacted IPs

General InformationSimulations

Behavior and APIsJoe Sandbox View / Context

IPsDomainsASNJA3 FingerprintsDropped Files

Created / dropped FilesStatic File Info

GeneralFile IconStatic PE Info

GeneralEntrypoint PreviewData DirectoriesSectionsResourcesImportsPossible Origin

Network BehaviorCode ManipulationsStatisticsSystem Behavior

Analysis Process: vnMQDhyZya.exe PID: 4580 Parent PID: 5692GeneralFile Activities

File CreatedFile Written

DisassemblyCode Analysis

Copyright Joe Security LLC 2021 Page 2 of 13

Windows Analysis Report vnMQDhyZya.bin

Overview

General Information

Sample Name:

vnMQDhyZya.bin (renamed file extension from bin to exe)

Analysis ID: 450141

MD5: 23755a33694adc…

SHA1: 33a68ea32f34ab6…

SHA256: e001f6a5b2d4d26…

Tags: crylock exe ransomware

Infos:

Most interesting Screenshot:

Detection

CryLockCryLock

Score: 96

Range: 0 - 100

Whitelisted: false

Confidence: 100%

Signatures

Antivirus / Scanner detection for sub






Antivirus / Scanner detection for subAntivirus / Scanner detection for sub……

Found malware configuration






Found malware configurationFound malware configuration

Found ransom note / readme






Found ransom note / readmeFound ransom note / readme

Icon mismatch, binary includes an ic






Icon mismatch, binary includes an icIcon mismatch, binary includes an ic……

Multi AV Scanner detection for subm






Multi AV Scanner detection for submMulti AV Scanner detection for subm……

Yara detected CryLock ransomware






Yara detected CryLock ransomwareYara detected CryLock ransomware

Contains functionality to detect slee






Contains functionality to detect sleeContains functionality to detect slee……

Deletes shadow drive data (may be






Deletes shadow drive data (may be Deletes shadow drive data (may be ……

Contains functionality for read data f






Contains functionality for read data fContains functionality for read data f……

Contains functionality to call native f






Contains functionality to call native fContains functionality to call native f……

Contains functionality to check if a w






Contains functionality to check if a wContains functionality to check if a w……

Contains functionality to detect sand






Contains functionality to detect sandContains functionality to detect sand……

Contains functionality to dynamically






Contains functionality to dynamicallyContains functionality to dynamically……

Contains functionality to enumerate






Contains functionality to enumerate Contains functionality to enumerate ……

Contains functionality to query locale






Contains functionality to query localeContains functionality to query locale……

Contains functionality to read the cli






Contains functionality to read the cliContains functionality to read the cli……

Contains functionality to retrieve info






Contains functionality to retrieve infoContains functionality to retrieve info……

Contains functionality to shutdown /






Contains functionality to shutdown / Contains functionality to shutdown / ……

Detected potential crypto function






Detected potential crypto functionDetected potential crypto function

Extensive use of GetProcAddress (o






Extensive use of GetProcAddress (oExtensive use of GetProcAddress (o……

Found potential string decryption / a






Found potential string decryption / aFound potential string decryption / a……

May check if the current machine is






May check if the current machine isMay check if the current machine is……

PE file contains strange resources






PE file contains strange resourcesPE file contains strange resources

Queries the volume information (nam






Queries the volume information (namQueries the volume information (nam……

Sample file is different than original






Sample file is different than original Sample file is different than original ……

Uses 32bit PE files

Uses 32bit PE files

Uses 32bit PE files

Uses 32bit PE files

Uses 32bit PE files

Uses 32bit PE files

Uses 32bit PE filesUses 32bit PE files

Uses code obfuscation techniques (






Uses code obfuscation techniques (Uses code obfuscation techniques (……

Classification

Ransomware

Spreading

Phishing

Banker

Trojan / Bot

Adware

Spyware

Exploiter

Evader

Miner

clean

clean

clean

clean

clean

clean

clean

suspicious

suspicious

suspicious

suspicious

suspicious

suspicious

suspicious

malicious

malicious

malicious

malicious

malicious

malicious

malicious

System is w10x64

vnMQDhyZya.exe (PID: 4580 cmdline: 'C:\Users\user\Desktop\vnMQDhyZya.exe' MD5: 23755A33694ADC76023DD0B7607BC03D)

cleanup

{

"Extensions":

"ods,xar,xlr,xls,xlsb,xlsm,xlsx,xlt,xltm,xltx,asp,accdb,b2,crypt,crypt5,crypt6,crypt7,crypt8,crypt12,dat,db,dbf,dbx,kdc,log,mdb,mdf,sdf,sis,sql,awb,bin,cdi,cdr,css,csv,eap,efx,g

am,gbr,ged,gtp,mpp,msc,mts,one,otf,nbk,nbp,ndb,prf,prj,rtp,sav,scppy,sgml,tax2010,tbl,tmp,ts,vcd,xml,xsl,xslt,1cd,epf,erf,^^^,$er,4dd,4dl,accdc,accde,accdr,accdt,accft,adb,ade,a

df,adp,alf,ask,btr,cat,cdb,ckp,cma,cpd,crypt9,dacpac,dad,dadiagrams,daschema,db-shm,db-

wal,db3,dbc,dbs,dbt,dbv,dcb,dct,dcx,ddl,dlis,dp1,dqy,dsk,dsn,dtsx,dxl,eco,ecx,edb,epim,exb,fcd,fdb,fic,fmp,fmp12,fmpsl,fol,fp3,fp4,fp5,fp7,fpt,frm,gdb,grdb,gwi,hdb,his,ib,idb,ih

x,itdb,itw,jet,jtx,kdb,kexi,kexic,kexis,lgc,lwx,maf,maq,mar,marshal,mas,mav,mpd,mrg,mud,mwb,myd,ndf,nnt,nrmlib,ns2,ns3,ns4,nsf,nv,nv2,nwdb,nyf,odb,oqy,ora,orx,owc,p96,p97,pan,pd

b,pdm,pnz,qry,qvd,rbf,rctd,rod,rodx,rpd,rsd,sas7bdat,sbf,scx,sdb,sdc,spq,sqlite,sqlite3,sqlitedb,te,teacher,temx,tmd,tps,trc,trm,udb,udl,usr,v12,vis,vpd,vvv,wdb,wmdb,wrk,xdb,xld

,xmlff,

{pb,~hm,17t,1pe,1ph,3dmdef,3dp,3dr,3dt,3dw,3me,3pe,4dv,4fs,5vw,73c,73l,8xg,8xk,8xs,8xv,a5l,a5w,a65,aam,aao,ab,ab1,ab3,abcd,abi,abkprj,abp,aby,aca,acc,acf,acg,acq,acr,acz,adcp,ad

dism,adi,adif,adt,adu,adv,advs,adx,aes,afe,aff,aft,agd,aggr,aifb,alc,ald,aldf,ali,amb,amc,aml,amm,amsorm,an1,an8,anime,anme,ans,ansym,anx,apalbum,aph,aplibrary,arc,arff,arn,art,

as,ashprj,asm,asnd,asr,ast,atf,atomsvc,ats,avc,avhdx,avj,avl,avp,aw,awbr,awdb,awg,azz,azzx,bafl,bar,baserproj,bc,bcc,bci,bcl,bcm,bct,bdc,bdf,bdic,bed,bfx,bgl,bgt,bho,bim,binary,

bionix,bjo,bk,blb,bld,blg,bln,blockplt,blogthis,bluebutton,bm2,bms,bnk,bok,book,box,bpd,bpdx,bphys,bpj,bplx,bpm,brain,brd,brf,brl,brn,brs,brw,bsd,bsdl,btf,btif,btinstall,btm,bul

,bvp,c3d,c4p,caf,camm,cap,capt,capx,car,cav,cawr,cbg,cbmap,cbz,cca,cch,ccld,ccp,cct,cdf,cdm,cdp,cdpz,cdx,cdxml,cef,cel,celtx,cfa,cfb,cfs,cfx,cgd,chg,chk,chr,cif,circ,ckt,cl2,cla

sslist,clb,cld,clg,clix,clk,clkm,clks,clktk,clkv,clm,clp,clx,cm10,cm5,cmap,cmbl,cml,cmr,cms,cna,col,collab,contact,cpaa,cpf,cpk,cpmz,cptx,cram,crev,crtx,cry,cs,csa,ctb,ctf,ctl,c

tm,ctp,ctproject,ctt,ctv,ctv3,cub,cube,cursorfx,curxptheme,cva,cvd,cvn,cwk,cww,cxa,cxd,cxf,cxr,cxt,cyo,cys,czi,czp,da2,daf,dal,dam,dap,das,dbd,dbgsym,dcf,dcl,dcm,dcmd,dcmf,dcpf,

dcpr,ddb,ddc,ddcx,ddt,def,deproj,des,det,develve,deviceinfo,dex,dfm,dfproj,dgs,dhcd,dia,dict,dif,dig,dii,dip,dita,ditamap,ditaval,dkt,dl,dlc,dlt,dltemp,dm2,dmc,dmm,dmmx,dmo,dmpr

,dmr,dmsp,dna,dng,dockzip,dot,dpb,dpn,dps,dpt,dpx,dr,drf,drl,drscan,dsb,dsc,dsd,dsl,dsx,dsy,dsz,dt,dtd,dtp,dtr,dupeguru,dvb,dvc,dvdproj,dvds,dvo,dwi,dws,e2p,eas,ebm,ebuild,ec0,e

c3,ec4,ecc,ecl,ect,edat,edat2,edf,edfx,edg,edi,eep,ef,efp,eglib,egp,ekb,els,em,emb,embl,emd,emlxpart,emrg,emrg2,enc,enex,enl,enlx,enq,env,enw,epp,epw,er1,erd,erg,erp,ersx,es,es2

,esb,ese,esp,esq,est,esx,et,ete,etng,ett,ev,ev3,ev3p,ev3s,evx,evy,ews,exif,exl,exm,exp,exx,f04,f06,fa,familyfile,far,fas,fasta,fbk,fbq,fcpbundle,fcpevent,fcpproject,fcpxdest,fcp

xml,fcs,fct,fdf,fdm,fdt,fdx,fes,ffd,fff,ffindex,ffo,ffwp,fg3,fhc,fid,fig,fil,fingnet,flam3,flame,flg,flipchart,flk,fll,flm,flo,flow,flp,flt,flwa,fmat,fmc,fmt,fnbk,fnm,fnrecipes,

fo,fob,fodp,folx,fop,fox,fpa,fpp,fpr,fpsl,fqc,frameset,frd,frl,fro,fsa,fsc,fsif,fss,fstab,ftl,ftm,ftw,fwdict,fxf,fxg,fxp,g1m,g3m,ga3,gadgeprj,gal,gallery,gan,gb,gbk,gbl,gbo,gbp,

gbs,gc,gcg,gcproj,gcw,gcx,gdbtable,gdf,gdt,gdtb,gedata,gedcom,gen,genbank,gexf,gfi,gform,gfs,ggb,gis,gla,gld,glo,gls,gmap,gmbl,gml,gmp,gms,gno,gnp,gnutar,gp3,gpf,gpi,gpj,gpp,gpr

,gpscan,gra,grade,graphml,graphmlz,grd,grf,grib,grib2,grind,grindx,grk,grp,grr,grt,grv,gs,gtable,gtar,gtl,gtm,gto,gts,gui,guides,gwk,gwp,gxl,gxt,h10,h11,h12,h13,h14,h15,h16,h17,

h2o,h2w,h4,h5,h6x,h77t,haas,hal,hcc,hce,hci,hcl,hcr,hcu,hcx,hcxs,hda,hdf,hdi,hdl,hdpmx,hds,hdumx,helpindex,hif,hin,hjt,hkdb,hl,hm3,hml,hmt,hmxp,hmxz,hol,hpp,hs2,hsdt,hsk,hst,htb

,htg,huh,hvc,hyv,i5z,ias,iba,ibcd,ibg,icalevent,icaltodo,icg,ichat,icr,id2,id3tag,idx,ies,ifaith,ifiction,ifm,ifs,igc,igg,igma,ign,igq,ii,iif,ilg,ilogicvb,ima,image,imp,imr,imt,

in,incp,ini,ink,inp,ins,inx,ip,ipalias,iphoto,iplb,ipmeta,ipr,iproject,iq4,iqmol,irock,irp,irr,irx,is1,is2,isf,ish1,ish2,ish3,ispc,ist,ite,itl,itlp,itm,itmsp,itn,itx,iup,ivc,ivd

,ivs,ivt,iw,iwxdata,ix2,ixb,jasper,jbi,jbr,jclic,jdat,jdb,jef,jgcscs,jmp,jnt,joboptions,joined,jph,jrprint,jrxml,jsd,jsda,jtbackup,jude,kal,kap,kbits,kbs,kdbx,kdz,keb,kelgfile,k

ey,key-

tef,keychain,keytab,kgtemp,kid,kismac,kma,kms,kmy,kno,kpf,kpp,kpr,kpx,kpz,krc,ksm,kth,kvtml,l,l3dw,l6t,la,label,laccdb,las,lav,lay,lbl,lbx,lcd,lcm,ld2,ldf,ldif,lef,lev,lex,lfp,l

gf,lgh,lgi,lgl,lhr,lib,lib4d,lif,life,lin,list,livereg,liveupdate,lix,llb,lmf,lms,lmx,lng,lnt,loc,lp7,lpdb,lpk,lpkg,lpmd,lpp,lqm,lrcat,lrdata,lrlib,lrlibrary,lrm,lrtoolkit,ls3,l

sa,lsd,lsf,lsl,lsp,lsr,lst,lsu,lud,lut,lutx,lvm,lvw,lw4,lwd,lxf,lxk,ly,lyt,m,mai,map,mat,mba,mbd,mbg,mbp,mbx,mc1,mcat,mcd,mcdx,mcmac,mcp,md,md8,mdc,mdd,mdj,mdl,mdm,mdsx,mdx,meg,

mega,mem,menc,merlin2,met,mex,mf4,mfa,mfe,mfl,mfo,mfp,mft,mfu,mfv,mgourmet,mgourmet4,mindnode,mjk,mlb,mlm,mls,mm,mmap,mmc,mmf,mml,mmm,mmp,mmw,mnc,mng,mnk,mno,mny,mod,moho,mol,mo

ney,mosaic,mox,mph,mpj,mpkt,mppz,mpr,mps,mpx,mpz,ms10,msb,msct,msf,msp,mss,mtf,mtff,mth,mtm,mtw,mtxt,mum,mup,mvm,mw,mwf,mws,mwx,mx,mxad,mxc2,mxi,myi,myo,nam,nap,nas,nbe,nc,ncorx

Process Tree

Malware Configuration

Threatname: CryLock


ney,mosaic,mox,mph,mpj,mpkt,mppz,mpr,mps,mpx,mpz,ms10,msb,msct,msf,msp,mss,mtf,mtff,mth,mtm,mtw,mtxt,mum,mup,mvm,mw,mwf,mws,mwx,mx,mxad,mxc2,mxi,myi,myo,nam,nap,nas,nbe,nc,ncorx

,nct,ndif,ndk,nds,ndx,nessus,net,neta,netspd,netspm,nfi,nfl,nfo,nfs,nitf,nl,nlogo,nlogo3d,nma,nmea,nmind,nmm,nmp,nni,nnp,not,notebook,np,npl,npr,npt,npy,nrb,nrc,nrd,nrf,nrl,nrm,

nrt,nru,nrx,nsq,nsr,nst,nt,ntf,ntx,nupkg,nvdl,nvl,nvm,nvram,nwcab,nwcp,nwelicense,nwo,nwp,nws,oab,obb,obd,obj,occ,ocimf,od,odc,odf,odp,odt,odx,oeaccount,oem,ofc,ofm,oft,ofx,ogg,

oggu,ogm,ogmu,ogs,olk,olk14event,olk14group,olk14note,olk14task,oll,olm,olt,omcs,omp,ond,ont,ontx,oo3,op,op2,op4,opal,opax,opd,opf,opj,opju,opx,or2,or3,or4,or5,or6,org,osz,ot,ot

l,otln,otp,otx,out,ova,ovf,ovolog,ovx,owx,p3,p7x,pab,paf,pat,paw,pbd,pbix,pbk,pc,pcap,pcapng,pcb,pcc,pcd,pch,pck,pcr,pct,pd4,pd5,pdas,pdd,pdfig,pdo,pds,pdw,pdx,pep,pes,pex,pez,p

f,pfc,pfl,phb,phd,phm,pj2,pjm,pjt,pka,pkb,pkh,pks,pkt,planner,pln,pls,plt,plw,pmatrix,pml,pmm,pmo,pmr,pnproj,pns,pod,poi,popshape,por,pot,potm,potx,pp,pp2,ppf,ppp,ppr,pps,ppsm,p

psx,ppt,pptm,pptx,prc,prdx,printcd2,prn,prnx,pro4,pro4pl,pro4plx,pro4x,pro5,pro5pl,pro5plx,pro5x,prs,prt,prv,prx,psa,psf,psm,pspd,pss,pst,psv,psw,pswx,ptb,ptf,ptn,ptz,pvd,pvw,px

f,pxj,pxl,q07,q08,q09,q3d,qb,qb2005,qb2006,qb2007,qb2009,qb2010,qb2011,qb2012,qb2013,qb2014,qb2015,qb2016,qb2017,qba,qbj,qbr,qbw,qbxml,qby,qdat,qdb,qdf,qdf-

backup,qdfm,qdfx,qdp,qdt,qel,qf,qfilter,qfx,qif,qm,qmbl,qmtf,qpb,qpf,qph,qrc,qrmx,qrp,qs,qsd,quiz,quox,qvf,qvp,qvw,qxf,ral,ray,rbt,rcd,rcg,rcx,rda,rdata,rdb,rdf,rdg,rdlx,rdx,reb

,rec,redif,ref,reference,rel,rep,ret,rez,rf1,rfa,rfo,rge,rgmc,rgo,rhistory,rl,rmd,rmuf,rmx,rng,rnq,roadtrip,roca,rodz,rog,roi,rou,rox,roxio,roz,rp,rpa,rpp,rpprj,rpres,rpt,rptr,r

pyb,rrt,rsc,rsf,rsm,rso,rsp,rsv,rsw,rta,rte,rtstn,rtttl,rtwsh,ruel,rupaf,rvl,rvt,rwd,rwg,rws,s85,saf,sah,sar,sbc,sbd,sbw,sbx,sc4,sc45,sca,scd,scf,scg,scgc,scgp,scgs,sch,scm,scn,

scz,sdl,sdlxliff,sdp,sds,sdz,se1,seed,sen,seo,seq,ses,sfd,sff,show,shw,shx,sidx,sim,skv,skx,sldtm,sle,slk,slp,slx,sm,smc,smp,smpkg,smx,snag,snapshot,sp,spb,speccy,spj,spk,sps,sp

t,spub,spv,sq,sqd,sqf,sqr,srf,ssc,ssd,ssp,ssv,sta,stc,stdl,stk,stl,stm,stp,stproj,str,stt,stu,sty,styk,stykz,sub,sum,svd,svf,swk,sx,sxi,syn,t01,t02,t03,t04,t05,t06,t07,t08,t09,t

10,t11,t12,t13,t14,t15,t16,t17,t18,t2,t2k,t2ks,t2kt,ta4,ta5,ta6,ta7,ta8,tab,tac,tag,tar,tardist,tax,tax08,tax09,tax10,tax11,tax12,tax13,tax15,tax16,tax17,tax2008,tax2009,tax2011

,tax2012,tax2013,tax2014,tax2015,tax2016,tax2017,tax2018,tax2019,tb,tbd,tbk,tbx,tc,tcc,tclogs,tcnet,tcx,tda,tdb,tde,tdl,tdm,tdms,tdt,te3,ted,tef,ter,terrn,terrn2,tet,tfa,tfd,tgc

,tgd,tgf,tie,time,timeline,tjp,tkfl,tl5,tlp,tlx,tmr,tmw,tmx,tmzip,top,topc,totalsdb,tpb,tpd,tpf,tqs,tra,trd,trf,trk,trs,trx,tsk,tsl,tsr,tst,tsv,tt10,tt11,tt12,tt13,tt14,tt15,tt1

6,tt17,tt18,ttd,ttk,ttmd,ttskey,tvc,tvdownload,twb,twbx,twh,twm,twz,twzip,txa,txd,txf,txn,txtrpt,tyimport,tyset,u10,u11,u12,ubj,ubox,uccapilog,ud,udc,udeb,uds,ulf,ulp,ulz,umf,uo

p,update,upoi,upr,useq,ustar,uvf,uvw,uwl,uwrf,val,vault,vbpf1,vbw,vce,vcf,vcrd,vcs,vct,vdb,vdf,vdx,vec,vff,vfs,vi,vibe,vip,vle,vlg,vmsd,vmsn,vmss,vmt,voi,vok,voxb,vpol,vpp,vpx,v

rd,vs,vsch,vscontent,vssm,vssx,vsv,vsx,vtx,vud,vvf,vxml,vym,vzm,w02,wab,wac,wallet,wb1,wb2,wb3,wcat,wcd,wcf,wd3,wdf,wdq,wea,webapp,wfm,wgt,whf,wid,wjr,wk1,wk2,wk3,wk4,wk5,wke,wl

x,wnk,wpc,wpf,wpk,wpo,wpost,ws,wsi,wsm,wtb,wtml,wtr,wvp,xaf,xaiml,xappl,xas,xbc,xbd,xbk,xbrl,xbt,xcsl,xdf,xdna,xdp,xds,xef,xem,xer,xfd,xfdf,xflow,xfo,xfr,xft,xgml,xgmml,xgp,xlc,

xle,xlf,xlgc,xliff,xlw,xmap,xmcd,xmct,xmd,xmi,xmind,xmlper,xmp,xmpz,xmwx,xmzx,xpdl,xpg,xpj,xpll,xpm,xpr,xpt,xrb,xrdml,xrff,xrp,xry,xsc,xsf,xsvf,xtg,xtm,xtp,xum,xvct,xxd,xyz,xyzv

,yam,ychat,ygf,yka,yrcbkm,yrcdat,yumtx,zap,zdb,zdc,zdct,zim,zix,zma,zmc,zpl,_xls,_xlsx,123,12m,aws,bks,cell,dfg,dis,edx,edxz,ess,fm,fods,fp,gnm,gnumeric,gsheet,hcdt,nb,ncss,numb

ers,ogw,ogwu,ots,pmd,qpw,sxc,tmv,tmvt,uos,wki,wkq,wks,wku,wq1,wq2,wr1,xl,xlshtml,xlsmhtml,xlthtml,|||sqml,7z,ace,arj,cab,cbr,deb,exe,gz,gzip,jar,pak,pkg,rar,rpm,sh,sib,sisx,sit,

sitx,spl,tar-

gz,tgz,zip,zipx,0,000,001,a00,a01,a02,ain,alz,apz,ar,archiver,arduboy,ari,b1,b64,b6z,ba,bdoc,bh,bndl,boo,bundle,bz,bz2,bza,bzip,bzip2,c00,c01,c02,c10,cb7,cba,cbt,cp9,cpgz,cpt,ct

x,cxarchive,czip,dar,dd,dgc,dist,dl_,dz,ecs,ecsbx,edz,efw,egg,epi,f,f3z,fdp,fp8,fzbz,fzpz,gca,gmz,gz2,gza,gzi,ha,hbc,hbc2,hbe,hki,hki1,hki2,hki3,hpk,hpkg,hyp,iadproj,ice,ipg,ipk

,ish,isx,ita,ize,j,jgz,jic,jsonlz4,kgb,kz,layout,lbr,lemon,lha,lhzd,libzip,lnx,lqr,lz,lzh,lzm,lzma,lzo,lzx,mint,mpkg,mzp,nex,npk,nz,oar,opk,oz,p01,pa,package,pae,paq6,paq7,par,p

ar2,pbi,pea,pet,pim,piz,psz,pup,puz,pwa,qda,r0,r00,r01,r02,r03,r04,r1,r2,r21,r30,rev,rk,rnc,rp9,rss,rz,s00,s01,s02,s7z,sea,sfs,sfx,shr,smpf,spd,sqx,sqz,taz,tbz,tbz2,tg,tlz,tlzma

,tx_,txz,tz,tzst,uc2,uha,uzip,vem,vmcz,voca,vpk,vsi,wa,waff,war,warc,wastickers,wdz,whl,wlb,wot,wux,xapk,xez,xip,xmcdz,xx,xz,xzm,y,yz,yz1,z,z01,z02,z03,z04,zi,zi_,zl,zoo,zpi,zsp

lit,zst,zw,zz,|||spi,v2i,sv2i,mobackup,tib,hqx,kwm,mim,mime,pub,uue,bak,dmp,gho,ghs,json,adame,adobe,aep,afp,asc,aurora,axx,b2a,bc5b,bfa,bhx,bip,bit,blower,bpk,bpw,bsk,btoa,bvd,

ccf,cdoc,cerber,cerber2,cgp,chml,cng,cpio,cryptra,dc4,dcd,dco,ddoc,dim,dime,dm,e4a,ecd,edoc,efl,efr,efu,emc,enx,esf,eslock,exc,extr,filebolt,film,fpenc,fsm,gdcb,gfe,gxk,gzquar,h

bx,hex,hid,hid2,htpasswd,idea,iwa,jac,jceks,jcrypt,jks,jmc,jmce,jmck,jmcp,jmcr,jmcx,kde,keystore,kkk,klq,kode,krab,ks,ksd,kxx,lastlogin,lcn,lilocked,litar,locked,locky,lvivt,meo

,mjd,mme,mse,null,nxl,odin,pdc,pfile,pfo,plp,psw6,pwv,rap,rdi,rsdf,rzk,rzx,safe,scb,sef,shy,sme,snk,spdf,suf,switch,uea,ufr,uu,uud,vdata,viivo,vlt,vp,wcry,werd,wls,wlu,wncry,wnr

y,wolf,wpe,wrypt,xmdx,xtbl,xxe,xxx,yenc,ykcol,ync,zepto,zps,zzzzz,__a,__b,~cw,$$$,$db,002,003,113,73b,aba,abbu,abf,abk,acp,aea,afi,asd,ashbak,asv,asvx,ba6,ba7,ba8,bac,backup,bac

kupdb,bak~,bak2,bak3,bakx,bbb,bbz,bck,bckp,bdb,bff,bif,bifx,bk1,bkc,bkf,bkp,bkup,bkz,blend1,blend2,bm3,bmk,bookexport,bpa,bpb,bpn,bps,bup,cbs,cbu,cenon~,ck9,cmf,crds,csd,csm,da0

,dash,dba,dbk,dss,fbc,fbf,fbu,fbw,fh,fhf,flka,flkb,fpsx,ftmb,ful,fwbackup,fza,fzb,gb1,gb2,gs-

bck,ibk,icbu,icf,inprogress,ipd,iv2i,j01,jbk,jdc,jpa,jps,kb2,lbf,lcb,ldabak,llx,mbf,mdbackup,mddata,mdinfo,msim,nb7,nba,nbak,nbd,nbf,nbi,nbs,nbu,nco,nda,nfb,nfc,noy,npf,nps,nrba

k,nrs,nwbak,obk,oeb,old,onepkg,ori,orig,oyx,paq,pbf,pbj,pbx5script,pvhd,qbb,qbk,qbm,qbmb,qbmd,qbx,qic,qsf,qv~,rbc,rbk,rbs,rgmb,rmbak,rrr,sbs,sbu,skb,sn1,sn2,sna,sns,spf,spg,sqb,

srr,stg,sv$,tibkp,tig,tis,tlg,trn,ttbk,uci,vbk,vbm,vbox-

prev,vpcbackup,vrb,w01,walletx,wbb,wbcat,wbk,win,wjf,wpb,wspak,wx,xlk,yrcbck,zbfx,|||apt,err,pwi,ttf,tex,text,txt,cdd,cpp,doc,docx,docm,dotm,dotx,epub,fb2,gpx,ibooks,indd,kml,mo

bi,mso,oxps,pages,pdf,pl,ps,rtf,sldm,snb,wpd,wps,xps,cfg,4ui,anh,ao,ap,article,av,avery,bcf,bcp,biz,blk,bmml,bpf,bro,btw,caj,cal,cbf,cd2,cdml,cl2arc,cl2doc,cl2lyt,cl2tpl,clkb,cl

kc,clkd,clt,cndx,comicdoc,comiclife,consis,cov,cpe,cph,cpy,crtr,cst,cvw,cw,cwt,de,dpd,dra,drmx,drmz,dtx,dwdoc,eddx,edrwx,el4,fadein,fax,fcdt,fd2,fdd,fey,fgc,flb,flowchart,flw,fo

lio,form,fpe,fr3,frdoc,frf,fsd,fxm,gde,gdoc,gdocx,gem,gofin,gslides,gsp,gwb,hfd,hft,hmk,hpd,hpt,hwdt,icap,icml,icmt,idap,idml,idms,idpk,ifd,ildoc,imm,imtx,imx,incd,inct,incx,ind

,indb,indl,indp,inds,indt,inlx,isale,isallic,isd,jtp,jwc,lab,lld,lma,lpdf,lsc,ltf,max,mcsp,mdi,mga,mif,mtc,mvd,mvdx,mwl,npp,nud,ola,p65,pcl,pde,pdp,pdr,pgs,pmx,pnh,ppx,psg,pspro

j,psr,ptx,pwt,pzf,pzfx,q3c,qpt,qxb,qxd,qxp,qxt,rb4,rels,rfd,rlf,rmr,rpc,rpx,rwt,sbk,sbv,sdt,simp,sjd,sma,snp,t2d,tds,tp3,uxf,vfc,webtheme,wlp,wmga,wpt,wwf,xdw,xif,xmt,xsn,xzfx,z

dl,zdp,zds,zfx,zno,_doc,_docx,1st,602,abw,act,adoc,aim,ase,awp,aww,bad,bbs,bdp,bdr,bean,bib,bibtex,bml,bna,boc,brx,btd,bzabw,calca,charset,chord,cnm,cod,crwl,cws,cyi,diz,dne,dox

,dvi,dwd,dxb,dxp,eio,eit,emf,eml,emlx,etf,etx,euc,fbl,fcf,fdr,fds,fdxt,fft,fgs,flr,fodt,fountain,frt,fwdn,gmd,gpd,gpn,gsd,gthr,gv,hbk,hht,hs,hwp,hz,iil,ipf,ipspot,jarvis,jis,jnp

,joe,jp1,jrtf,jtd,kes,klg,knt,kon,kwd,latex,lbt,lis,lp2,ltr,ltx,lue,luf,lwp,lxfml,lyx,mbox,mcw,mell,mellel,mnt,msg,mwd,mwp,ndoc,ngloss,njx,note,notes,now,nwctxt,nwm,ocr,odif,odm

,odo,ofl,opeico,openbsd,ort,ott,p7s,pages-

tef,pfx,plantuml,pu,pvm,pwd,qdl,rad,readme,rft,ris,rst,rtd,rtfd,rtx,run,rvf,rzn,safetext,scc,scriv,scrivx,sct,scw,sdw,session,sgm,sig,sla,smf,sms,ssa,story,strings,sxw,tdf,templ

ate,thp,tlb,tm,tmdx,tmvx,tpc,trelby,tvj,u3i,unauth,unx,uof,uot,upd,utf8,utxt,vnt,vw,webdoc,wn,wp,wp4,wp5,wp6,wp7,wpa,wpl,wpw,wri,wsd,wtt,wtx,xbdoc,xbplate,xdl,xwp,xy,xy3,xyp,xyw

,zabw,zrtf,tsc,tsf,uld,unt,upf,vet,vnd,vtf,vwx,wdp,x_b,x_t,xise,xnc,xv3,acsm,apnx,azw,azw1,azw3,azw4,bkk,bpnueb,cebx,dnl,ea,eal,ebk,edn,etd,fkb,han,html0,htmlz,htxt,htz4,htz5,jw

pub,kfx,koob,lit,lrf,lrs,lrx,mart,ncx,nva,oebzip,orb,pef,phl,qmk,rzb,rzs,tcr,tk3,tpz,tr,tr3,webz,ybk,|||3g2,3gp,3gp2,3gpp,3gpp2,asf,asx,avi,drv,f4v,flv,h264,m4v,mkv,moov,mov,mp4

,mpeg,mpg,rm,rmvb,srt,swf,vid,vob,webm,wm,wmv,yuv,264,3mm,3p2,60d,787,890,aaf,aec,aepx,aet,aetx,ajp,ale,am,amv,amx,anim,arcut,arf,avb,avchd,ave,avs,avv,axm,bdm,bdmv,bdt2,bdt3,bi

k,bik2,bix,bk2,blz,bmc,bnp,bs4,bsf,bu,bvr,byu,camproj,camrec,camv,ced,cine,cip,clpi,cme,cmmp,cmmtpl,cmproj,cmrec,cpi,cpvc,cx3,d2v,d3v,dav,dce,dck,dcr,dir,divx,dlx,dmb,dmsd,dmsd3

d,dmsm,dmsm3d,dmss,dmx,dpa,dpg,dream,dv,dv-avi,dv4,dvdmedia,dvr,dvr-

ms,dvx,dxr,dzm,dzp,dzt,edl,evo,exo,eye,eyetv,ezt,f4f,f4m,f4p,fbr,fbz,fcarch,fcp,fcproject,ffm,flc,flh,fli,flic,flx,fpdx,ftc,fvt,g2m,g64,g64x,gcs,gfp,gifv,gl,gom,grasp,gvi,gvp,gx

f,hdmov,hdv,hevc,hkm,ifo,imovieproj,insv,int,ircp,irf,ism,ismc,ismclip,ismv,iva,ivf,ivr,izz,izzy,jdr,jmv,jnr,jss,jts,jtv,k3g,kdenlive,kmv,ktn,lrec,lrv,lsx,lvix,m1pg,m21,m2p,m2t,

m2ts,m2v,mani,mgv,mj2,mjp,mk3d,mnv,moi,mp21,mpf,mpgindex,mpl,mpls,mproj,mpsub,mpv,mqv,msdvd,mswmm,mtv,mvc,mve,mvp,mvy,mxf,mxv,n3r,ncor,nfv,nsv,ntp,nut,nuv,nvc,ogv,ogx,orv,osp,ot

rkey,pac,pgi,photoshow,piv,pjs,plproj,pmf,ppj,prel,pro,prproj,prtl,psb,psh,pvr,pxv,qsv,qt,qtch,qtindex,qtl,qtm,qtz,r3d,ravi,rcproject,rcrec,rcut,rmp,rms,rmv,roq,rsx,rts,rum,rv,r

vid,sbz,screenflow,sdv,sec,sfvidcap,siv,smi,smil,smk,snagproj,ssf,stx,svi,swi,swt,tda3mt,theater,tid,tivo,tix,tod,tp,tp0,tpr,trec,trp,tsp,ttxt,tvlayer,tvs,tvshow,usf,usm,v264,vb

c,vc1,vcpf,vcr,vcv,vdo,vdr,veg,vep,vf,vft,vfw,vfz,vgz,video,viewlet,viv,vivo,vix,vlab,vmlf,vmlt,vp3,vp6,vp7,vpj,vr,vro,vs4,vse,vsh,vsp,vtt,w32,wcp,wfsp,wgi,wlmp,wmd,wmmp,wmx,wp3

,wsve,wtv,wvm,wvx,wxp,xej,xel,xesc,xfl,xlmv,xmv,xvid,y4m,yog,zeg,zm1,zm2,zm3,zmv,|||dem,kmz,mid,ov2,geo,3d,3dc,3dd,3dl,477,apl,apr,aqm,at5,atx,aux,axe,axt,bil,bt,cor,csf,cvi,div

,dix,dlg,dmf,dmt,dt0,dt1,dt2,e00,embr,ers,eta,ffs,fit,fls,fme,fmi,fmv,fmw,geojson,gfw,glb,gmf,gprx,gps,grb,gsb,gsi,gsm,gsr,gsr2,gst,gvsp,gws,hdr,hgt,imd,img,imi,jgw,jnx,jpgw,jpr

,jpw,lan,len,mpk,msd,mxd,mxt,ngt,nm2,nm3,nmap,nmc,nmf,obf,ocd,osb,osc,osm,pix,prm,ptm,ptt,qct,rdc,rgn,rrd,sbn,shp,sld,style,svx,sxd,sym,tfrd,tfw,th,timestamp,tpx,ttkgp,vdc,wfd,w

ld,wor,xol,|||3dm,3ds,a2c,ccd,cdw,cr2,dgn,dwg,dxf,ics,igs,iso,ma,mb,part,rnd,sldasm,sldprt,wm2d,ai,eps,svg,vsd,vst,wmf,aac,ac3,aif,aiff,amr,aob,ape,aud,bwg,flac,iff,m3u,m3u8,m4a

,m4b,m4p,m4r,midi,mp3,mpa,msv,nkc,ra,ram,sln,temp,vb,wav,wave,wma,xsb,xwb,cur,icns,ico,mds,pict,png,bmp,dds,djvu,gif,hta,jpeg,jpg,php,psd,pspimage,scr,tga,thm,tif,tiff,xcf,0cc,2

sf,2sflib,3ga,3gpa,4mp,5xb,5xe,5xs,669,6cm,8cm,8med,8svx,a2b,a2i,a2m,a2w,a52,aa,aa3,aax,abc,abm,acb,acd,acd-bak,acd-

zip,acm,adg,adts,afc,agm,agr,ahx,aifc,aimppl,akp,alaw,all,als,amf,ams,amxd,amz,ang,apf,aria,ariax,3d2,3d4,3da,3df,3dmf,3dmk,3don,3dv,3dx,3dxml,3mf,a3d,a8s,album,animset,anm,aof,

aoi,atl,atm,b3d,bio,blend,br3,br4,br5,br6,br7,brg,bto,bvh,c3z,c4d,cas,ccb,cg,cg3,cga,cgfx,chrparams,cm2,cmod,cmz,crf,crz,cso,d3d,dae,daz,dbl,dbm,ddd,dff,dfs,ds,dsa,dse,dsf,dsi,d

so,dsv,duf,dwf,e57,f3d,facefx,fbm,fbx,fc2,fcz,fg,fnc,fpf,fpj,fry,fsh,fsq,fun,fuse,fx,fxa,fxl,fxs,fxt,glf,glm,gltf,gmmod,gmt,grn,hd2,hdz,hip,hipnc,hlsl,hr2,hrz,hxn,ifc,iges,igi,i

gm,ik,irrmesh,iv,ive,j3o,jas,kfm,kmc,kmcobj,ktz,ldm,llm,lnd,lp,lps,lt2,ltz,lwo,lws,lxo,m3,makerbot,maxc,mc5,mc6,mcz,md5anim,md5camera,md5mesh,meb,mesh,mix,mot,mp,mqo,mrml,ms3d,m

tl,mtx,mtz,mxm,mxs,n2,n3d,nff,nif,nm,nsbta,obp,obz,oct,off,ogf,ol,p21,p2z,p3d,p3l,p5d,phy,pigm,pigs,pl0,pl1,pl2,ply,ppz,prefab,psk,pz2,pz3,pzz,qc,rcs,rds,rig,s,sc4model,sh3d,sh3

f,skl,skp,smd,step,sto,t3d,tcn,tgo,thing,thl,tme,tmo,tri,truck,ts1,tvm,u3d,ums,v3d,v3o,v3v,vac,vert,visual,vmd,vmo,vox,vrl,vso,vue,vvd,w3d,wft,wow,wrl,wrp,wrz,x,x3d,x3g,xmf,xmm,

xof,xrf,xsi,xv0,yaodl,ydl,z3d,zt,123c,123d,123dx,2d,3w,a2l,afd,any,ard,asy,att,bbcd,bcd,bdl,bimx,bmf,bpmc,bpz,bsw,bswx,bxl,cad,cam,catdrawing,catpart,catproduct,cddx,cdl,cgr,ckd

,cmp,cnc,cnd,cpa,crv,cyp,czd,db1,dbq,dc,dc1,dc2,dc3,dft,dfx,dgb,dgk,dlv,drg,drw,drwdot,dsg,dst,dwfx,dwt,dxe,dxx,easm,edrw,eld,eprt,eqn,ewb,ewd,ezc,ezp,fan,fcstd,fcstd1,fcw,fmz,f

pd,fz,fzm,fzp,fzz,g,g3d,gbx,gcd,gcode,gds,gxc,gxd,gxh,gxm,hcp,hsc,hsf,hus,iam,ic3d,icd,ide,idv,idw,if,ifcxml,ifczip,ipj,ipn,ipt,ise,isoz,jam,jbc,job,jt,jvsg,jvsgz,kit,l3b,lcf,ld

r,ldt,li3d,lia,lizd,logicly,ltl,lyc,lyr,mc9,mcx,mhs,mmg,model,modfem,mp11,mp13,mp14,mp7,ms11,ms13,ms14,msm,nc1,neu,ngc,ngd,nwc,nwd,nwf,olb,opt,pc6,pc7,phj,pho,pipd,pipe,pla,prg,

qpm,rcv,red,rml,rra,rs,rsg,sab,sat,sbp,scad,scdoc,sdg,skf,slddrw,t3001,tak,tbp,tc2,tc3,tcd,tcm,tcp,tct,tcw,topprj,topviw,at3,au,aup,ay,b4s,band,bap,bcs,bcstm,bdd,bfstm,bfwav,bid

ule,bonk,brr,brstm,bun,bwf,bww,caff,cda,cdda,cdlx,cdo,cgrp,cidb,ckb,conform,copy,cpr,csh,cts,cwb,cwp,d00,d01,dewf,df2,dfc,djr,dls,dmsa,dmse,ds2,dsm,dsp,dtm,dts,dtshd,dvf,ear,efa

,efe,efk,efq,efs,efv,emp,emx,emy,eop,erb,esps,evr,evrc,exs,f2r,f32,f3r,f4a,f64,fda,fev,frg,fsb,fti,ftmx,fuz,fzf,fzv,g721,g723,g726,gbproj,gig,gio,gm,gmc,gp5,gpbank,gpk,gro,groov

e,gsf,gsflib,guit,gym,h0,h3b,h3e,h4b,h4e,h5b,h5e,h5s,hbb,hbs,hca,hdp,hma,hmi,hps,hsb,iaa,igp,igr,imf,isma,it,iti,itls,its,jo,jo-

7z,jspf,k25,k26,kar,kfn,kin,kmp,koz,kpl,krz,ksc,ksf,kt2,kt3,ktp,lof,logic,logicx,lqt,lso,lvp,lwv,m2,m5p,ma1,mbr,mdr,med,minigsf,miniusf,mka,mmlp,mmpz,mo3,mp2,mpc,mpdp,mpga,mscz,

msmpl_bank,mte,mti,mtp,mui,mus,musx,mux,mx5,mxl,mxmf,myr,naac,narrative,ncw,nfa,nkb,nki,nkm,nks,nkx,nml,nmsv,nra,nsa,ntn,nus3bank,nvf,obw,ofr,oga,oggstr,okt,oma,omf,omg,omx,opus

,orc,ota,ove,ovw,pandora,pca,pcast,pcg,pd,peak,pek,pk,pkf,pna,ppc,pts,ptxt,q1,q2,qcp,r,r1m,raw,rax,rcy,record,rex,rfl,rgrp,rip,rmf,rmi,rmj,rmm,rmt,rns,rol,rsn,rti,rtm,rvx,rx2,s3

i,s3m,sap,sb,sbi,sc2,scs11,sd,sd2,sdat,sdx,sesx,sf2,sfk,sfl,sfpack,sfz,sgp,shn,sid,smpx,snd,sng,sou,sph,sppack,sseq,stap,sth,strm,swa,sxt,syh,syw,syx,td0,tfmx,thx,tm2,tm8,tmc,to

c,trak,tta,txw,u,u8,uax,ub,ulaw,ult,ulw,uni,usflib,ust,uw,uwf,v2m,vag,vap,vc3,vdj,vgm,vlc,vmf,voc,voxal,vpl,vpm,vpr,vpw,vqf,vrf,vsq,vsqx,vyf,w64,wand,wax,wem,wfb,wfp,wpp,wproj,w

tpl,wtpt,wus,wut,wv,wvc,wve,wwu,wyz,xa,xbmml,xfs,xi,xm,xma,xms,xmu,xmz,xopus,xp,xpf,xrns,xsp,xspf,xt,ym,yookoo,zab,zgr,zpa,zvd,zvr,af3,afdesign,artb,ccx,cddz,cdmm,cdmt,cdmtz,cdm

z,cds,cdt,cgm,cil,clarify,cmx,cnv,csy,cv5,cvg,cvs,cvx,dcs,ddrw,design,dhs,dpp,drawing,drawit,egc,emz,ep,epsf,esc,ezdraw,fh10,fh11,fh3,fh4,fh5,fh6,fh7,fh8,fh9,fhd,fif,fs,ft10,ft1

1,ft7,ft8,ft9,ftn,gdraw,gks,glox,graffle,gstencil,gtemplate,gvdesign,hgl,hpg,hpgl,hpl,hvif,igt,igx,jsl,lmk,mgcb,mgmf,mgmx,mgs,mvg,odg,otg,ovp,ovr,pen,pmg,qcc,rdl,scv,sk2,sketch,

slddrt,snagstyles,std,svgz,tlc,tne,tpl,vbr,vml,vsdm,vsdx,vstm,vstx,wmz,wpg,wpi,xmmap,yal,ydr,zgm,2bp,360,411,73i,8ca,8ci,8pbs,8xi,acorn,afphoto,afx,agif,agp,aic,apd,apm,apng,aps

,apx,arr,arw,aseprite,avatar,awd,blkrt,bmq,bmx,bmz,bpg,brk,brt,bss,bti,bw,can,cd5,cdg,cid,cin,cit,clip,colz,cpc,cpg,cps,cpx,ct,dgt,dib,dic,dicom,dm3,dmi,dtw,dvl,ecw,exr,face,falCopyright Joe Security LLC 2021 Page 4 of 13

,apx,arr,arw,aseprite,avatar,awd,blkrt,bmq,bmx,bmz,bpg,brk,brt,bss,bti,bw,can,cd5,cdg,cid,cin,cit,clip,colz,cpc,cpg,cps,cpx,ct,dgt,dib,dic,dicom,dm3,dmi,dtw,dvl,ecw,exr,face,fal

,fits,flif,fpg,fpos,fppx,fpx,g3,gcdp,gfb,gfie,ggr,gih,gim,gmbck,gmspr,gp4,grob,gry,hdrp,heic,heif,hf,hpi,hr,hrf,i3d,ic1,ic2,ic3,ica,icb,icn,icon,icpr,ilbm,imj,info,insp,ipick,ip

x,itc2,ithmb,ivue,iwi,j2c,j2k,jb2,jbf,jbg,jbig,jbig2,jbmp,jfi,jfif,jia,jif,jiff,jng,jp2,jpc,jpd,jpe,jpf,jpg-

large,jpg2,jpx,jtf,jwl,jxr,kdi,kdk,kic,kodak,kpg,kra,lb,lbm,lip,ljp,lrpreview,lzp,mbm,mdp,miff,mipmaps,mnr,mpo,mrxs,myl,ncd,ncr,neo,nlm,nol,oc3,oc4,oc5,oci,odi,oplc,otb,oti,ozb,

ozj,ozt,pano,pbm,pc3,pcx,pdn,pe4,pfr,pgf,pgm,pi2,pic,picnc,piskel,pixadex,pm,pnm,pov,ppm,prw,psdx,pse,psp,pspbrush,ptex,ptg,px,pxd,pxm,pxr,pyxel,pza,pzp,pzs,qmg,qti,qtif,ras,rcl

,rcu,rgb,rgba,rgf,ric,rif,riff,rix,rle,rli,rpf,rri,rsb,rsr,rtl,rvg,s2mv,sai,sdr,sfc,skitch,skm,spa,spc,spe,spp,spr,sprite,sprite2,ste,sup,t2b,targa,tb0,tbn,texture,tfc,tg4,thumb

,tn,tpi,trif,tub,ufo,uga,ugoira,urt,v,vda,vic,vicar,viff,vna,vpe,vrimg,vrphoto,vss,wb0,wbc,wbd,wbm,wbmp,wbp,wbz,webp,wi,wic,wmp,wvl,xbm,xwd,ysp,zif,zvi,3fr,bay,cr3,cxi,eip,iiq,j

6i,mef,mfw,mos,mrw,nef,nrw,orf,raf,rw2,rwl,rwz,sr2,srw,x3f,|||apk,bat,cgi,cmd,com,js,jse,gadget,msi,msu,pif,ps1,pwz,vbs,wsf,dll,8bi,crx,ext,h,nbm,nes,plugin,ppa,ppam,xla,xlam,xl

l,xpi,ani,cpl,deskthempack,diagcab,diagpkg,hlp,icl,lnk,msstyles,nomedia,ocx,reg,rom,scrshs,sys,theme,themepack,0xe,73k,89k,8ck,a6p,a7r,ac,actc,action,ahk,air,app,arscript,asb,az

w2,ba_,beam,celx,cof,command,dek,dld,e_e,ebs,ebs2,ecf,eham,elf,epk,esh,ex_,ex4,ex5,exe1,exopc,ezs,fky,fpi,frs,gpe,gpu,ham,hms,hpf,iim,ipa,isu,jsf,jsx,kix,ksh,kx,lo,ls,mcr,mel,mi

o,mrc,mrp,ms,msl,mxe,n,ncl,nexe,ore,osx,otm,phar,plx,pwc,pyc,pyo,qit,qpx,rbx,rfu,rgs,rpj,rxe,scar,scpt,scptd,script,tiapp,tms,u3p,udf,upx,vbe,vbscript,vexe,vlx,vxp,wcm,widget,wi

z,workflow,wpm,wsh,x86,xap,xbap,xlm,xqt,xys,zl9,8ba,8bc,8be,8bf,8bi8,8bl,8bs,8bx,8by,8li,aaui,aaxplugin,accda,accdu,acroplugin,aex,aip,alp,amxx,api,aplg,aplp,arx,asi,avx,ax,bav,

bblm,blu,bmi,bri,brm,bzplug,ccip,cleo,codaplugin,component,cox,dfp,dlo,dlr,dlu,dpm,eaz,epk2,exv,fmplugin,fmx,fwaction,fwactionb,fzip,hvpl,iadaction,iadclass,iadpage,iadplug,iads

tyle,ibplugin,ideplugin,jsxbin,kmm,lrmodule,lrplugin,mda,mde,mfx,milk,mmip,mode,module,mxaddon,mxp,ny,oex,oiv,osax,oxt,p,p64,plx64,q1q,q2q,q4q,q5r,q7q,q8r,q9r,q9s,qar,qtr,qtx,rb

z,rhp,rock,rpi,rplib,rpln,rwplugin,safariextz,sparc,tgp,tko,tmbundle,vsix,vsl,vst3,wie,wll,wlz,wowsl,x32,xadd,xba,xcplugin,xlv,xnt,xsiaddon,zlb,zxp,208,2fs,386,3fs,73u,8cu,8xu,a

dm,adml,admx,aos,asec,bashrc,blf,bom,bud,c32,cgz,ci,cnt,cpq,crash,desklink,dev,dfu,diagcfg,dit,drpm,dvd,ebd,edj,efi,efires,emerald,escopy,etl,evt,evtx,ffa,ffl,ffx,firm,fl1,fota,

fpbf,ftf,ftg,fts,gmmp,grl,group,h1s,hcd,hdmp,help,hhc,hhk,hiv,hpj,hsh,htt,hve,idi,ifw,im4p,ime,img3,inf_loc,ion,ioplist,ipod,iptheme,ius,jpn,kbd,kext,ko,kor,lfs,library-

ms,lockfile,log1,log2,lpd,manifest,mapimail,mdmp,mi4,mlc,mydocs,nb0,nbh,nls,ntfs,odex,pk2,pnf,pol,ppd,prefpane,profile,prop,pwl,qky,qvm,rc1,rc2,rco,reglnk,rfw,ruf,rvp,saver,shd,

shsh,sqm,swp,ta,tdz,thumbnails,timer,trashes,trx_dll,uce,vga,vgd,vx_,vxd,wdgt,webpnp,wer,wgz,wph,wpx,xfb,xrm-

ms,|||aspx,cer,cfm,chm,crdownload,csr,download,htaccess,htm,html,jnlp,jsp,mht,mhtm,mhtml,url,webarchive,webloc,xhtml,xulasf,c,class,fla,java,lua,po,py,so,vc4,vcproj,vcxproj,wsc,

xcodeproj,xsd,a4p,adr,alx,an,appcache,aro,asa,asax,ascx,ashx,asmx,atom,awm,axd,br,browser,btapp,bwp,cha,chat,codasite,con,crl,crt,cshtml,csp,der,dhtml,disco,discomap,dml,do,ece,

edge,epibrw,esproj,ewp,fcgi,freeway,fwp,fwtb,fwtemplate,gne,har,hdm,hdml,htc,htx,hxs,hype,hypesymbol,idc,iqy,itms,itpc,iwdgt,jcz,jhtml,jspa,jspx,jst,jvs,jws,lasso,lbc,less,maff,

mapx,mjs,mspx,muse,nod,nxg,nzb,oam,obml,obml15,obml16,ognc,olp,opml,oth,p12,p7b,p7c,pem,qbo,qrm,rflw,rhtml,rjs,rt,rw3,rwp,rwsw,rwtheme,saveddeck,scss,shtm,shtml,sitemap,sites,si

tes2,suck,swz,tvpi,tvvi,ucf,uhtml,vbd,vbhtml,vdw,vlp,vrml,vrt,vsdisco,wbs,wbxml,web,webhistory,website,wgp,whtt,wml,woa,wrf,wsdl,xbel,xbl,xfdl,xht,xhtm,xpd,xss,xul,xws,zfo,zhtml

,zul,zvz,$01,4db,4th,a,aab,aar,addin,ads,agi,aia,aidl,alb,am4,am5,am6,am7,ane,anjuta,ap_,apa,applet,appx,appxsym,appxupload,arsc,artproj,as2proj,as3proj,asvf,au3,autoplay,awk,b,

bas,basex,bb,bbc,bbproject,bbprojectd,bdsproj,bet,bluej,bos,bpr,bs2,bsc,bsh,btn,buildpath,bur,bytes,caproj,cbl,cbp,cc,ccgame,ccn,ccs,cd,cfc,clips,cls,clw,cob,config,cp,cpb,csi,c

sn,csproj,csx,ctxt,cu,cvsrc,cxp,cxx,d,daconfig,dart,dbml,dbo,dbpro,dbproj,dcp,dcproj,dcuil,ddp,dec,dep,deviceids,df1,dfk,dgml,dgsl,diff,dm1,dmd,dob,docset,dpk,dpkw,dres,dsgm,dsy

m,eba,ecp,edm,edml,edmx,el,elc,ent,eql,erl,escn,ex,exw,f2k,f90,f95,fbp,fbp7,fbz7,fce,fcl,fd,feature,fgl,filters,fimpp,for,forth,fpm,framework,frj,frx,fsi,fsl,fsproj,fsscript,fsx

,fxc,fxcproj,fxml,fxpl,gameproj,gar,gbap,gbas,gbm,gch,gemspec,gfar,gitignore,gitkeep,glade,global,gm6,gm81,gmk,gmo,gmx,go,gorm,gradle,greenfoot,groovy,groupproj,gs3,gsproj,gszip

,gvy,gwd,haml,handlebars,has,hcf,hh,hhh,hhp,hrl,hxx,hydra,i,iconset,idl,idt,ilk,iml,inc,inl,ino,ipch,ipp,isc,iwb,iws,iwz,jav,jcp,jdp,jed,jl,jlr,jnilib,jsfl,jsh,jsxinc,juk,kb,kct

,kdevdlg,kdevelop,kdevprj,kdmp,kps,kt,kv,kvk,lang,lbi,lbs,lds,lgo,lhs,licenses,licx,lisp,livecode,loadtest,lol,lproj,lrdb,lsproj,ltb,luc,lxsproj,m4,magik,mak,markdown,mdzip,mer,

mf,mk,ml,mo,mom,mpws,mq5,mrt,msha,mshc,mshi,msix,mv,mxml,myapp,natvis,nbc,ncb,ned,neko,nfm,nib,nim,nk,nqc,nsh,nsi,nsl,nuproj,nuspec,nvv,nw,nxc,o,oat,ob2,oca,octest,odl,omo,os,ow

,owl,oxygene,patch,pb,pbg,pbxbtree,pbxproj,pbxuser,pcp,ph,pika,pjx,pkgdef,pkgundef,playground,plc,ple,pli,pn,pri,proto,psc,psm1,ptl,pwn,pxi,pyd,pyw,pyx,qml,qpr,qx,rav,rb,rbm,rbp

,rbvcp,rbw,rbxs,rc,rdlc,rdoc,refresh,res,resjson,resources,resw,resx,rexx,rise,rkt,rls,rodl,rotest,rpy,rsrc,ru,rul,rwsnippet,s19,sas,sb2,sb3,sbproj,sc,scala,scratch,sdef,sed,set

,slogo,sltng,smali,snippet,sol,spec,sqlproj,src,ss,ssi,storyboard,sud,suo,svn-

base,swc,swd,swift,t,targets,tcl,td,tiprogram,tk,tld,tlh,tli,tmlanguage,tmpl,tmproj,tmproject,tns,tpk,tpu,tres,tscn,tt,tu,tur,twig,uft,ui,uml,umlclass,vala,var,vbg,vbp,vbproj,vb

x,vbz,vc,vcp,vcx,vcxitems,vdm,vdp,vdproj,vgc,vhd,vhdl,vjp,vjsproj,vm,vpc,vsct,vsmacros,vsmdi,vsmproj,vspf,vsps,vspscc,vspx,vssscc,vsz,vtm,vtml,vtv,vwl,w,wapproj,wasm,wdgtproj,wd

l,wdw,webtest,winmd,wiq,wixlib,wixmsp,wixmst,wixobj,wixout,wixpdb,wixproj,workbook,worksheet,workspace,wowproj,wsp,wxi,wxl,wxs,xaml,xamlx,xbf,xcappdata,xcarchive,xcconfig,xcode,

xib,xojo_menu,xoml,xpp,xq,xql,xqm,xquery,xqy,xsx,xtb,yab,yaml,yml,yml2,ymp,ypr,|||b5t,b6t,bwi,bwt,dmg,i00,i01,i02,isz,md0,md1,md2,nrg,pdi,toast,2mg,adz,afm,ashdisc,atr,avhd,b5i,

b6i,bwa,bws,bwz,ciso,cl5,cue,d64,d88,daa,dao,dax,dbr,disc,disk,dmgpart,dms,e01,ecm,eda,ede,edk,edq,eds,edv,eui,ex01,fdi,g41,gbi,gdrive,gi,gkh,hc,hdd,hfs,hfv,ibadr,ibb,ibdat,ibp,

ibq,imz,ixa,k3b,l01,lx01,mbi,miniso,mrimg,nn,nri,p2g,p2i,partimg,pgd,qcow,qcow2,ratdvd,sco,sdsk,sqfs,st,t64,tao,tap,tzx,ufs,uibak,uif,vaporcd,vc6,vc8,vco,vdi,vfd,vhdx,vmdk,vmwar

evm,volarchive,wbi,wii,wil,wim,winclone,wmt,woz,wud,x64,xdi,xva,xvd,|||fnt,fon,torrent,magnet,sngw,ucm,application,appref-

ms,conf,deskthemepack,ds_store,inf,plist,swb,thempack,cf,cfu,vrp,lgp,pff,efd,00,32x,3dsx,3dz,555,68k,8ld,a26,acww,acx,age3rec,age3sav,age3scn,age3xrec,age3xsav,age3yrec,age3ysav

,am1,arch00,arp,ars,ash,ass,asset,ba2,bak1,bars,bb3,bdae,bf,bfg,bfm,bfs,bgz,bic,big,biq,blorb,blp,bls,bmd,bme,bmg,bng,bnr,bns,bnz,bo2,bo3,breff,breft,brlyt,brmdl,brres,brsar,brs

eq,brtex,brv,bs1,bsa,bsb,bsdiff,bsg,bsp,bus,bzw,carc,cbh,cbv,cdp2,cgf,chd,cm,cns,compiled,cos,course,cpn,crp,cty,d3dbsp,dat_mcr,dat_new,dazip,desc,diva,dm_68,dm_82,dm_83,dm_84,d

nf,dns,dol,dpf,drm,duc,dun,dv2,dzip,e2gm,eepf,egm,eix,ek6,ekx,elm,eng,epc,escape,esg,esm,est_uax,evp,ewl,fbrb,fc1,fc2map,fcm,ff,fgd,fila,film_cpk,fl,flash,fld,fml,fnta,fomod,for

ge,fos,fpid,fpk,fpmb,fpmo,fpop,fps,frc,frw,frz,fs2,fsg,fssave,fst,fuk,fwd,g3x,galaxy,game,gamedata,gba,gbaskin,gbc,gbcskin,gblorb,gcf,gci,gcm,gct,gcz,gd,gdc,gdg,gdi,gdw,genome,g

fx,gg,ggpack,ghb,gjd,glksave,gma,gme,gmres,gmv,god,goomod,gr2,gs0,gsba,gsc,gsx,gtworld,h3m,h4r,h5m,h5u,hat,he,he0,he1,he2,he4,hhsl,hi,hit,hmp,hof,hog,hoi4,honmod,hot,hqm,hum,hwd

,hwmap,hws,hxm,i3pack,ib2,ib3,ibch,ibre,ibro,ibt,icmod,idx0,idx255,ifp,imga,inform,inv,ipl,ips,isr,itk,itr,iwd,j2i,j2l,j64,ja,jag,jap,jbeam,jcr,jg4,jgc,jigsaw,jkb,jmf,jrc,jrz,k2

s,kag,kcl,kf2,kfs,kodu,kv6,kwreplay,l2r,l3d,laby,ldb,ldw,litemod,lk12,ll,lmp,lmu,lock,lod,love,lpb,lsw,ltg,luxb,lvl,lvlx,mae,maplet,mca,mcapm,mcpack,mcserver,mcworld,md3,menu,mg

l,mgx,mii,mis,mp2m,mp2s,mpm,mpq,mrs,mul,n-

gage,n3pmesh,n64,nar,narc,nav,naz,nbt,nca,ncer,ncf,ncgr,nclr,ndd,ndr,neosave,nfs11save,ngage,ngp,ngs,nl2script,nlelem,nlpx,nltrack,nlvm,nop,npa,nro,ns1,nsbca,nsbmd,nsbtx,nsbva,n

scr,nsp,ntrk,ogz,omod,osk,osr,osu,ovh,ovl,p2m,p3t,papa,pbn,pbp,pcsav,pgn,phn,pk3,pk4,pkx,player,plr,pqhero,prk,properties,pssg,pwf,pxp,qwd,radq,rasunsoft,rbj,rbxl,rbxlx,rbxm,rbx

mx,replay,ress,rfc,rfgs_pc,rfm,rgd,rgp,rgss2a,rgss3a,rgssad,rgt,rim,rkg,rkp,rofl,ros,rot,rp2,rpgmvm,rpgmvo,rpgmvp,rpgproject,rpgsave,rpkg,rpl,rpyc,rs2,rsdk,rton,rttex,rvdata,rvd

ata2,rvproj,rvproj2,rxdata,s2z,sad,sami,sc2archive,sc2assets,sc2bank,sc2data,sc2ma,sc2map,sc2mod,sc2replay,sc2save,sc4desc,sc4lot,schematic,scs,scworld,sd7,settings,sfar,sfo,sg0

,sga,sgb,sgpbprj,sii,sims2pack,sims3,sims3pack,sli,smzip,splane,srm,stencyl,sv5,svs,taf,tbm,td6,tex0,tfr,tic,tiger,tim,tkr,tlk,tmod,tor,tp4,ts4script,ttarch,ttl,twt,tzarc,uasset

,uc,ucl,udk,ukx,ulx,umap,umd,umod,umx,unf,unif,unity,unity3d,unityproj,unr,updatr,upk,ups,uqm,usa,usx,ut2,ut2mod,ut3,ut4mod,ut8,utc,utw,utx,uvx,uxx,v64,vbf,vcm,veh,vfs0,vgi,vhv,

vmap,vmap_c,vmdl,vmv,vmx,vol,vvvvvv,vwp,vx2,w3g,w3m,w3n,w3x,w3z,wa2,wad,wagame,wal,wam,wbfs,wbt,wc6,weap,wgf,whirld,wl1,wl6,wldx,wmo,wolfquest,wop,world,wotmod,wotreplay,wowsrep

lay,wrpl,wtd,wtf,wu8,wxn,wz,xal,xan,xbe,xbsav,xci,xen,xex,xgdw,xgt,xmb,xnb,xom,xp2,xp3,xp4,xpk,xs,xtl,xvmconf,y3a,y3d,ycm,ydc,ydk,ydt,yfs,ytd,z1,z2,z2f,z2s,z3,z4,z5,z6,z64,z7,z8

,zad,zblorb,zks,zmap,zs0,zs1,zs2,zs3,zs4,zs5,zs6,zs7,zs8,zs9,zsd,zsm,ztd,ztmp,zzz,256,8st,a2theme,a7p,aco,acrodata,acv,acw,adpp,ahl,ahs,ahu,ait,aiu,alv,aom,arg,asef,asl,asw,aswc

s,asws,atc,ath,atn,atz,awcav,bau,bcmx,bgi,bitpim,bitsboard,blob,blt,blw,boot,bs7,bsxc,bsxp,btsearch,bxx,c2r,camp,cdrt,cex,chl,chx,clr,cmate,cmmtheme,cnf,comp,copreset,costyle,cp

dx,cptm,csaplan,cskin,csplan,cui,cuix,dbb,dbg,dcst,ddf,deft,directory,dok,dpv,dr5,dsw,dtsconfig,duck,dxls,ecfg,eft,eftx,ehi,emm,emmt,enp,ens,enz,epr,eqf,eqp,etff,eum,ewprj,eww,e

xample,exe4j,exportedui,eyetvp,eyetvsched,fat,fbt,fc,fcc,fdc,fe_launch,flst,fm3,fmod,fpl,frames,frr,fspy,ft,fth,ftp,ftpquota,fvp,fwt,fxb,gcsx,gid,gin,gliffy,gmw,godot,gqsx,gtkrc

,gvimrc,gvswatch,h2p,hd3d,hdt,hfp,hme,how2,hpr,ht,iaf,icc,icm,icst,icursorfx,iddx,idf,idpp,ihw,iip,iit,ikf,ikmp,immodules,import,injb,inms,ipcc,ipynb,iros,irs,isp,iss,itt,ix,jdf

,jkm,joy,kcb,kds,kfl,klc,kmf,kuip,kyb,kys,l4d,lbrn,lbu,lcc,lfo,lgt,lh3d,lily,lmc,lnst,loaders,look,lop,lrsmcol,lrtemplate,lva,lvf,lxcp,lxsopt,m2s,mailhost,mask,mcl,mgk,mlk,mns,m

nu,mobirise,moef,mof,moti,motn,motr,mpt,mskn,msn,mst,mxskin,mycolors,ncfg,nd,ndc,ngrr,nji,nkp,np4,npfx,nsx,ntc,nts,nvp,nwv,obi,obt,oce,officeui,ofp,oif,ois,olk14pref,oms,onetoc,

onetoc2,ops,options,opts,osdx,oss,otmu,otpu,otw,otwu,otz,ovpn,pctl,pdadj,pgp,pie,pio,pip,pmc,pmj,pmp,policy,pr,pref,prfpset,profimail,propdesc,props,ps1xml,psc1,pvs,pxb,q2d,q5q,

q9q,qat,qss,qtp,qvpp,qvt,qxw,rcf,rct,rdo,rdp,rdr,rdw,resmoncfg,rfq,rgrid,rhr,rll,rmskin,rnx,rpb,rpe,rpk,rproj,rps,rpv,ruleset,rwstyle,s2ml,sgt,sif,ski,skin,skn,skz,sl,slt,smt,sp

fx,srs,sss,stb,sw2,t2c,tcls,tee,terminal,tfx,tgw,the,thmx,tll,tlo,tmtheme,tpark,tscproj,tsi,tsm,tsz,tts,tvtemplate,tw3,twc,typeit4me,uct,udcx,ugr,uis,user,utz,vbox,vcomps,vcpref

,vcw,vim,vimrc,viz,vmac,vmba,vmc,vmcx,vmpl,vmtm,vmxf,vnc,vni,vph,vps,vqc,vsprops,vssettings,vstpreset,vsw,vtpr,wc,wcx,wcz,wfc,wfw,wif,wlvs,wme,wms,work,wzconfig,x4k,xcscheme,xct

,xcu,xdr,xep,xes,xet,xev,xgs,xiz,xlb,xpl,xst,xtodvd,xtreme,xui,xur,xvm,xwk,ytt,zon,zpf,zvt,acfm,amfm,dfont,eot,euf,f3f,ffil,fot,gdr,gf,glif,lwfn,nftr,odttf,pfa,pfb,pfm,pmt,suit,

t65,tfm,ttc,tte,vfb,vlw,vnf,woff,woff2,xfn,ytf,|||pkpass,grs,_eml,_nws,!bt,!qb,!sync,!ut,1,323,83p,8xp,aawdef,abr,ac$,acl,acs,add,aepkey,afploc,ahd,ahi,alt,aod,appup,aria2,auz,a

vastlic,avgdx,az!,bbl,bc!,bfc,bkmk,bli,bnd,bootskin,bp2,bp3,bqy,bst,bt!,buf,cache,calibre,cbds,cdf-

ms,cerber3,cfl,chunk001,chw,clkk,clkt,clkw,clkx,cmm,contour,cp3,crc,crd,ctg,cul,cvr,dcover,dctmp,decrypt,desktop,disabled,dlm,dmx-

info,drc,dskin,dstudio,dtapart,dwc,dwl,dwlibrary,ebn,edc,eek,ef2,egt,email,enf,enml,esd,event,ewnet,exd,extra,eyb,ezlog,ezw,fb!,feedback,ffu,file,fl3,flf,fmelic,fnd,fnlf,fpfv,fr

k,ftil,ftploc,fw,g1a,g3a,gau,glink,gly,gpg,gradients,gta,h1q,hdk,hdx,hlb,hlx,hmx,hxa,hxc,hxe,hxk,hxt,ical,icalendar,icma,icontainer,id,idlk,ifl,iix,imapmbox,imy,inca,indk,inetlo

c,ing,inlk,inm,iobit,ipsw,isn,itc,jad,jc,jc!,jcl,jcw,jms,jmt,jmx,jqz,jrs,khd,khi,kmr,kyr,lck,legal,letter,lic,licensekey,lid,link,linx,logonvista,logonxp,loov,lrc,lsn,lwtp,lxa,m

ab,mailtoloc,mbs,mc2,mco,md5,mdw,mfil,mgdatabase,mgo,mgt,mjdoc,mmo,mnl,mnx,montage,mpcpl,mrk,mta,mtd,mthd,mvi,na2,nav2,nch,nd5,ndl,new,nick,njb,nk2,nss,nth,nup,nvi,ob!,ook,opdow

nload,ost,otc,owg,owm,p10,p2p,p7m,p7r,pad,pando,partial,pdpcomp,plsk,ppk,psar,psi,pth,ptr,pvk,qds,qiz,qua,qwq,qxl,radiumkey2,rat,redir,reloc,rem,req,rfb,rfn,rfp,rmh,rov,rpmsg,rs

a,rtc,rwlibrary,rxc,search-ms,sft,sfv,shs,skba,skindex,skr,slf,slupkg-ms,snf,snt,sr0,sslf,ssw,storymill,svn-

work,swj,t$m,tbs,tcz,tec,tfil,tip,tla,tls,tmb,tnef,tnsp,tpkey,tpm,trace,tscdf,tstream,ttx,uls,unk,unknown,unl,upg,urr,vbt,vdjsend,ver,vir,vlcl,vmg,vmhf,vmhr,vmsg,vncloc,vor,vpa,

vpc6,vpc7,wba,wcinv,wdseml,wgs,wje,wordlist,wrts,wsz,wtc,wul,wwd,wzmul,xensearch,xlnk,xnk,xslic,xwf,ybd,ymg,yps,z80,zm9,zml,ztf,ztr,zvpl,|||pas,bpl,dpr,dcu,dpl,dproj,|||\n"

}

Yara Overview


Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

AV Detection:

Antivirus / Scanner detection for submitted sample


Multi AV Scanner detection for submitted file

Spam, unwanted Advertisements and Ransom Demands:



Deletes shadow drive data (may be related to ransomware)

Hooking and other Techniques for Hiding and Protection:

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malware Analysis System Evasion:

Contains functionality to detect sleep reduction / modifications

Source Rule Description Author Strings

C:\Users\user\AppData\Local\Temp\how_to_decrypt.hta JoeSecurity_CryLock Yara detected CryLock ransomware

Joe Security

Source Rule Description Author Strings

00000000.00000003.197222832.0000000004FF0000.00000004.00000001.sdmp

JoeSecurity_CryLock Yara detected CryLock ransomware

Joe Security

00000000.00000002.462601526.0000000005018000.00000004.00000001.sdmp


Joe Security

00000000.00000002.462574922.000000000500C000.00000004.00000001.sdmp


Joe Security

00000000.00000002.462552901.0000000004FF4000.00000004.00000001.sdmp


Joe Security

Process Memory Space: vnMQDhyZya.exe PID: 4580 JoeSecurity_CryLock Yara detected CryLock ransomware

Joe Security

Dropped Files

Memory Dumps


Mitre Att&ck Matrix

InitialAccess Execution Persistence

PrivilegeEscalation Defense Evasion

CredentialAccess Discovery

LateralMovement Collection Exfiltration

Commandand Control

NetworkEffects

RemoteServiceEffects

ValidAccounts

NativeAPI 1

ApplicationShimming 1

Access TokenManipulation 1

Masquerading 1 InputCapture 1 1

System TimeDiscovery 1

RemoteServices

InputCapture 1 1

ExfiltrationOver OtherNetworkMedium

EncryptedChannel 1

Eavesdrop onInsecureNetworkCommunication

RemotelyTrack DeviceWithoutAuthorization

DefaultAccounts

ScheduledTask/Job

Boot orLogonInitializationScripts

ProcessInjection 1

Access TokenManipulation 1

LSASSMemory

SecuritySoftwareDiscovery 1 2

RemoteDesktopProtocol

ArchiveCollectedData 1

ExfiltrationOverBluetooth

Junk Data Exploit SS7 toRedirect PhoneCalls/SMS

RemotelyWipe DataWithoutAuthorization

DomainAccounts

At (Linux) Logon Script(Windows)

ApplicationShimming 1

Process Injection 1 SecurityAccountManager

ProcessDiscovery 3

SMB/WindowsAdmin Shares

ClipboardData 2

AutomatedExfiltration

Steganography Exploit SS7 toTrack DeviceLocation

ObtainDeviceCloudBackups

LocalAccounts

At(Windows)

Logon Script(Mac)

Logon Script(Mac)

Deobfuscate/DecodeFiles orInformation 1

NTDS ApplicationWindowDiscovery 1 1

DistributedComponentObject Model

Input Capture ScheduledTransfer

ProtocolImpersonation

SIM CardSwap

CloudAccounts

Cron NetworkLogon Script

Network LogonScript

Obfuscated Files orInformation 2

LSA Secrets System ServiceDiscovery 1

SSH Keylogging DataTransferSize Limits

FallbackChannels

ManipulateDeviceCommunication

ReplicationThroughRemovableMedia

Launchd Rc.common Rc.common File Deletion 1 CachedDomainCredentials

File andDirectoryDiscovery 1

VNC GUI InputCapture

ExfiltrationOver C2Channel

MultibandCommunication

Jamming orDenial ofService

ExternalRemoteServices

ScheduledTask

StartupItems

Startup Items Compile AfterDelivery

DCSync SystemInformationDiscovery 2 6

WindowsRemoteManagement

Web PortalCapture

ExfiltrationOverAlternativeProtocol

CommonlyUsed Port

Rogue Wi-FiAccess Points

Behavior GraphID: 450141

Sample: vnMQDhyZya.bin

Startdate: 17/07/2021

Architecture: WINDOWS

Score: 96

Found malware configurationAntivirus / Scanner

detection for submittedsample

Icon mismatch, binaryincludes an icon from

a different legit applicationin order to fool users

4 other signatures

vnMQDhyZya.exe

1

started

C:\Users\user\AppData\...\how_to_decrypt.hta, HTML

dropped

Contains functionalityto detect sleep reduction

/ modifications

Legend:

Process

Signature

Created File

DNS/IP Info

Is Dropped

Is Windows Process

Number of created Registry Values

Number of created Files

Visual Basic

Delphi

Java

.Net C# or VB.NET

C, C++ or other language

Is malicious

Internet

Hide Legend

Behavior Graph


ThumbnailsThis section contains all screenshots as thumbnails, including those not shown in the slideshow.

Source Detection Scanner Label Link

vnMQDhyZya.exe 84% Virustotal Browse

vnMQDhyZya.exe 46% Metadefender Browse

Screenshots

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample


https://www.virustotal.com/gui/file/e001f6a5b2d4d2659b010fb5825eb4383e8f415861a244329bc70cfcd18da507/detection/f-e001f6a5b2d4d2659b010fb5825eb4383e8f415861a244329bc70cfcd18da507-1625049690

https://www.metadefender.com/#!/results/file/bzIxMDMzMDYxaHliazFhQnZtRm4yS0hPRExa/regular/analysis

General Information

Joe Sandbox Version: 33.0.0 White Diamond

Analysis ID: 450141

Start date: 17.07.2021

Start time: 00:31:14

Joe Sandbox Product: CloudBasic

Overall analysis duration: 0h 5m 40s

Hypervisor based Inspection enabled: false

Report type: light

Sample file name: vnMQDhyZya.bin (renamed file extension from bin to exe)

Cookbook file name: default.jbs

Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

Number of analysed new started processes analysed:

24

Number of new started drivers analysed: 0

Number of existing processes analysed: 0

Number of existing drivers analysed: 0

Number of injected processes analysed: 0

Technologies: HCA enabledEGA enabledHDC enabledAMSI enabled

Analysis Mode: default

Analysis stop reason: Timeout

Detection: MAL

Classification: mal96.rans.evad.winEXE@1/1@0/0

vnMQDhyZya.exe 86% ReversingLabs Win32.Ransomware.FileCryptor

vnMQDhyZya.exe 100% Avira HEUR/AGEN.1140448

Source Detection Scanner Label Link

No Antivirus matches

Source Detection Scanner Label Link Download

0.2.vnMQDhyZya.exe.400000.0.unpack 100% Avira HEUR/AGEN.1108767 Download File



No contacted domains info

No contacted IP infos

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs


EGA Information: Failed

HDC Information: Successful, ratio: 99.9% (good quality ratio 97.4%)Quality average: 80.4%Quality standard deviation: 25.2%

HCA Information: Failed

Cookbook Comments: Adjust boot timeEnable AMSI

Warnings:

No simulations

No context

No context

No context

No context

No context

C:\Users\user\AppData\Local\Temp\how_to_decrypt.hta

Process: C:\Users\user\Desktop\vnMQDhyZya.exe

File Type: HTML document, ASCII text, with CRLF line terminators

Category: dropped

Size (bytes): 6031

Entropy (8bit): 5.556670512747036

Encrypted: false

SSDEEP: 96:7SWCBg9TlfXNQBg9TlfXMrmd7BW5olrfYBeYDXA1cF00beuYK1:7FTlfXXTlfXMrmdNXf1cbnYI

MD5: 9B566DFE1A1F108C0DA7ECC9395B67A2

SHA1: F97195B9D974D4AE9269381462DA65F1D2ABDA85

SHA-256: 0834D8D12ABB8E0A3C22F4C8F0901240483844DD8063917BAEC2E3400522CF08

SHA-512: F95889ED583547BC14230231204328D2DF092823E4C8A3EC25792E9302AFC999A98A737BEFD39E647A3388F9273BF6D98878BCCE95E033A51AD55B0AC00FAE65

Malicious: true

Yara Hits: Rule: JoeSecurity_CryLock, Description: Yara detected CryLock ransomware, Source: C:\Users\user\AppData\Local\Temp\how_to_decrypt.hta, Author: Joe Security

Reputation: low

Show All

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files


Static File Info

GeneralFile type: PE32 executable (GUI) Intel 80386, for MS Windows

Entropy (8bit): 6.480181156357604

TrID: Win32 Executable (generic) a (10002005/4) 99.79%Win32 Executable Delphi generic (14689/80) 0.15%Win16/32 Executable Delphi generic (2074/23) 0.02%Generic Win/DOS Executable (2004/3) 0.02%DOS Executable Generic (2002/1) 0.02%

File name: vnMQDhyZya.exe

File size: 688128

MD5: 23755a33694adc76023dd0b7607bc03d

SHA1: 33a68ea32f34ab635a7f6ce6d39cf48e97329031

SHA256: e001f6a5b2d4d2659b010fb5825eb4383e8f415861a244329bc70cfcd18da507

SHA512: aa179e18c61514e0ea93fe0d3813af4d788b1f7c8fe20987e3d0316b77478f9afb6af3f9cd1797903b955b1a623e495c4f00c384957e93f1037fc45fb312ab58

SSDEEP: 12288:67YumfFmeva/WAQZYJo2YBVt3cU7iIFIeiqcaesKxt5Z3y+pIhfJhkiMySTXdv5/:EYT3a/WMJ4VbiwesKxt5Z3y+pIhfJhkF

File Content Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon

Icon Hash: b99988fcd4f66e0f

Preview:<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">..<html>..<title>CryLock</title>..<hta:application showInTaskBar="no" APPLICATION="yes" ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no" applicationname="CryLock" border="thick" contexmenu="no" ..scroll="no" selection="yes" singleinstance="yes" windowstate="normal" MAXIMIZEBUTTON="NO" BORDER="DIALOG" width="100" height="100" MINIMIZEBUTTON="NO"></hta:application>..<script language="JavaScript">..var ud=0;..var op=0xc7bf30;..var zoc=0;..function document.onkeydown() {.. var alt=window.event.altKey;.. if (event.keyCode==116 || event.keyCode==27 || alt && event.keyCode==115) {.. event.keyCode=0;.. event.cancelBubble=true;.. return false;.. }.. }..function document.onblur()..{..alert('Attention! This important information for you!');..}..function ChangeTime()..{..var sd = new Date('July 19 2021 00:32:00');..var dn = new Date();..if (sd.getTime()<dn.getTime())..{..var dt=document.getEle

C:\Users\user\AppData\Local\Temp\how_to_decrypt.hta

GeneralEntrypoint: 0x4766c0

Entrypoint Section: CODE

Digitally signed: false

Imagebase: 0x400000

Subsystem: windows gui

Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

DLL Characteristics:

Time Stamp: 0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]

TLS Callbacks:

CLR (.Net) Version:

OS Version Major: 4

OS Version Minor: 0

File Version Major: 4

File Version Minor: 0

Subsystem Version Major: 4

Subsystem Version Minor: 0

Import Hash: a673946f3abdec2477cd32a41983c2e9

Static PE Info

Entrypoint Preview


No network behavior found

Code Manipulations

Statistics

System Behavior

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics

CODE 0x1000 0x75844 0x75a00 False 0.503746429995 data 6.54275157823 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

DATA 0x77000 0x1658 0x1800 False 0.482747395833 data 4.48427478987 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

BSS 0x79000 0x17c5 0x0 False 0 empty 0.0 IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

.idata 0x7b000 0x2a14 0x2c00 False 0.352272727273 data 4.91316264989 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

.tls 0x7e000 0x10 0x0 False 0 empty 0.0 IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

.rdata 0x7f000 0x18 0x200 False 0.048828125 data 0.20058190744 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

.reloc 0x80000 0x8a80 0x8c00 False 0.571958705357 data 6.64498546971 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

.rsrc 0x89000 0x24f64 0x25000 False 0.300431535051 data 5.20881384664 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Language of compilation system Country where language is spoken Map

Russian Russia

Network Behavior

Start time: 00:31:59

Start date: 17/07/2021

Data Directories

Sections

Resources

Imports

Possible Origin

Analysis Process: vnMQDhyZya.exe PID: 4580 Parent PID: 5692Analysis Process: vnMQDhyZya.exe PID: 4580 Parent PID: 5692

General


Joe Sandbox Cloud Basic 33.0.0 White Diamond

Disassembly

Code Analysis

Copyright Joe Security LLC

File ActivitiesFile Activities

Path: C:\Users\user\Desktop\vnMQDhyZya.exe

Wow64 process (32bit): true

Commandline: 'C:\Users\user\Desktop\vnMQDhyZya.exe'

Imagebase: 0x400000

File size: 688128 bytes

MD5 hash: 23755A33694ADC76023DD0B7607BC03D

Has elevated privileges: true

Has administrator privileges: true

Programmed in: Borland Delphi

Yara matches: Rule: JoeSecurity_CryLock, Description: Yara detected CryLock ransomware, Source: 00000000.00000003.197222832.0000000004FF0000.00000004.00000001.sdmp, Author: Joe SecurityRule: JoeSecurity_CryLock, Description: Yara detected CryLock ransomware, Source: 00000000.00000002.462601526.0000000005018000.00000004.00000001.sdmp, Author: Joe SecurityRule: JoeSecurity_CryLock, Description: Yara detected CryLock ransomware, Source: 00000000.00000002.462574922.000000000500C000.00000004.00000001.sdmp, Author: Joe SecurityRule: JoeSecurity_CryLock, Description: Yara detected CryLock ransomware, Source: 00000000.00000002.462552901.0000000004FF4000.00000004.00000001.sdmp, Author: Joe Security

Reputation: low

Show Windows behavior

File CreatedFile Created

File WrittenFile Written


http://www.joesecurity.org

Date post:	11-Mar-2023
Category:	Documents
Upload:	khangminh22
View:	0 times
Download:	0 times

Automated Malware Analysis Report for vnMQDhyZya.bin

Documents