Edit tour

Windows Analysis Report
66d5df681876c_file010924.exe

Overview

General Information

Sample name:	66d5df681876c_file010924.exe
Analysis ID:	1503035
MD5:	7972b08246e568495d9d116fc2d0b159
SHA1:	3e12225494f08369858453fd9fc7481b4f788165
SHA256:	2a6c90c8db27e6ac04c7e339dfe4b3c2d47a292bcf6fc1c5b4e0ae62fc81ff84
Tags:	exe
Infos:

Detection

Babuk, Djvu

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found ransom note / readme

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Babuk Ransomware

Yara detected Djvu Ransomware

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Infects executable files (exe, dll, sys, html)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Tries to harvest and steal browser information (history, passwords, etc)

Writes a notice file (html or txt) to demand a ransom

Writes many files with high entropy

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (may stop execution after checking a module file name)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Sigma detected: CurrentVersion Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

66d5df681876c_file010924.exe (PID: 6228 cmdline: "C:\Users\user\Desktop\66d5df681876c_file010924.exe" MD5: 7972B08246E568495D9D116FC2D0B159)

66d5df681876c_file010924.exe (PID: 6476 cmdline: "C:\Users\user\Desktop\66d5df681876c_file010924.exe" MD5: 7972B08246E568495D9D116FC2D0B159)

icacls.exe (PID: 4480 cmdline: icacls "C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8" /deny *S-1-1-0:(OI)(CI)(DE,DC) MD5: 2E49585E4E08565F52090B144062F97E)

66d5df681876c_file010924.exe (PID: 1512 cmdline: "C:\Users\user\Desktop\66d5df681876c_file010924.exe" --Admin IsNotAutoStart IsNotTask MD5: 7972B08246E568495D9D116FC2D0B159)

66d5df681876c_file010924.exe (PID: 6544 cmdline: "C:\Users\user\Desktop\66d5df681876c_file010924.exe" --Admin IsNotAutoStart IsNotTask MD5: 7972B08246E568495D9D116FC2D0B159)

66d5df681876c_file010924.exe (PID: 4244 cmdline: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe --Task MD5: 7972B08246E568495D9D116FC2D0B159)

66d5df681876c_file010924.exe (PID: 1424 cmdline: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe --Task MD5: 7972B08246E568495D9D116FC2D0B159)

66d5df681876c_file010924.exe (PID: 7864 cmdline: "C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe" --AutoStart MD5: 7972B08246E568495D9D116FC2D0B159)

66d5df681876c_file010924.exe (PID: 7900 cmdline: "C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe" --AutoStart MD5: 7972B08246E568495D9D116FC2D0B159)

66d5df681876c_file010924.exe (PID: 8116 cmdline: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe --Task MD5: 7972B08246E568495D9D116FC2D0B159)

66d5df681876c_file010924.exe (PID: 8144 cmdline: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe --Task MD5: 7972B08246E568495D9D116FC2D0B159)

66d5df681876c_file010924.exe (PID: 7172 cmdline: "C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe" --AutoStart MD5: 7972B08246E568495D9D116FC2D0B159)

66d5df681876c_file010924.exe (PID: 6912 cmdline: "C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe" --AutoStart MD5: 7972B08246E568495D9D116FC2D0B159)

66d5df681876c_file010924.exe (PID: 7932 cmdline: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe --Task MD5: 7972B08246E568495D9D116FC2D0B159)

66d5df681876c_file010924.exe (PID: 7900 cmdline: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe --Task MD5: 7972B08246E568495D9D116FC2D0B159)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Babuk	Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys.	No Attribution	http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/ https://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/ https://blog.morphisec.com/babuk-ransomware-variant-major-attack https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html https://chuongdong.com/reverse%20engineering/2021/01/16/BabukRansomware-v3/	https://malpedia.caad.fkie.fraunhofer.de/details/win.babuk

Name	Description	Attribution	Blogpost URLs	Link
STOP, Djvu	STOP Djvu Ransomware it is a ransomware which encrypts user data through AES-256 and adds one of the dozen available extensions as marker to the encrypted file's name. It is not used to encrypt the entire file but only the first 5 MB. In its original version it was able to run offline and, in that case, it used a hard-coded key which could be extracted to decrypt files.	No Attribution	https://angle.ankura.com/post/102het9/the-stop-ransomware-variant https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/ https://cybleinc.com/2021/06/21/djvu-malware-of-stop-ransomware-family-back-with-new-variant/	https://malpedia.caad.fkie.fraunhofer.de/details/win.stop

Malware Configuration

Threatname: Djvu

{"Download URLs": [""], "C2 url": "http://cajgtus.com/test1/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nDo not ask assistants from youtube and recovery data sites for help in recovering your data.\r\nThey can use your free decryption quota and scam you.\r\nOur contact is emails in this text document only.\r\nYou can get and look video overview decrypt tool:\r\nhttps://wetransfer.com/downloads/abe121434ad837dd5bdd03878a14485820240531135509/34284d\r\nPrice of private key and decrypt software is $999.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $499.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshingmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelpyou@airmail.cc\r\n\r\nYour personal ID:\r\n0874PsawqS", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows\\", "F:\\PerfLogs\\", "F:\\ProgramData\\Desktop\\", "F:\\ProgramData\\Microsoft\\", "F:\\Users\\Public\\", "F:\\$Recycle.Bin\\", "F:\\$WINDOWS.~BT\\", "F:\\dell\\", "F:\\Intel\\"], "Public Key": "-----BEGIN PUBLIC KEY-----\\\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsZOJbLC8rdQ3RNFdWJ9l\\\\nsRHwDxjXZCN4K9IEo3ccj2X7KVzvLXJ\\/I+jMWoFDgbTA5TMMDPMhlSykGYr1rbX9\\\\ntDxs5EL7FC3R6jbLzQ+QVdvG2Slvd1aEiSAhkrB6Z97DC28ixTGkA4aCQKKFT5ge\\\\nSXPpDStS2N3zeiWPCMkOs9RErtxVW9sXoWRAFtBg2kSHTyKEWcRqnxplrJGdVQKU\\\\n0DxDnHDefnxaf\\/3VSRczBwGZlq\\/Mr2bfHM2Mf8JWmYztlmGbjGb\\/\\/oixuuRePxzt\\\\n6xgozgVrC64HnagNFyODdlk2w\\/BpJWXIbgivZ0kR40Ll3NEAl3Z26cIkIc6pAJ3s\\\\nfwIDAQAB\\\\n-----END PUBLIC KEY-----"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000020.00000002.2444319207.0000000002332000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000001C.00000002.1624704973.000000000228E000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000018.00000002.1506583704.0000000002380000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000018.00000002.1506583704.0000000002380000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000020.00000002.2444379499.00000000023D0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000020.00000002.2444379499.00000000023D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000006.00000002.1282127310.00000000022FE000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000001C.00000002.1624809590.0000000002320000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000001C.00000002.1624809590.0000000002320000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000019.00000002.1522339744.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000019.00000002.1522339744.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000019.00000002.1522339744.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000000.00000002.1232942398.00000000022C9000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000001D.00000002.1635910279.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000001D.00000002.1635910279.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000001D.00000002.1635910279.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000014.00000002.1380517656.0000000002181000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000021.00000002.2454668093.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000021.00000002.2454668093.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000021.00000002.2454668093.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000005.00000002.1261436866.00000000023E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000005.00000002.1261436866.00000000023E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000005.00000002.1261344737.000000000233F000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.1232991821.0000000002360000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000000.00000002.1232991821.0000000002360000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000006.00000002.1282193755.0000000002390000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000006.00000002.1282193755.0000000002390000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000002.00000002.1252295528.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000002.00000002.1252295528.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000002.00000002.1252295528.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000018.00000002.1506412476.00000000022EA000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000C.00000002.2488460103.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000C.00000002.2488460103.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000C.00000002.2488460103.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000015.00000002.1393524836.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000015.00000002.1393524836.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000015.00000002.1393524836.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000014.00000002.1380613748.0000000002360000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000014.00000002.1380613748.0000000002360000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
Process Memory Space: 66d5df681876c_file010924.exe PID: 6228	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: 66d5df681876c_file010924.exe PID: 6228	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x458fd:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: 66d5df681876c_file010924.exe PID: 6476	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: 66d5df681876c_file010924.exe PID: 6476	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x69565:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: 66d5df681876c_file010924.exe PID: 1512	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: 66d5df681876c_file010924.exe PID: 1512	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x37573:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: 66d5df681876c_file010924.exe PID: 4244	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: 66d5df681876c_file010924.exe PID: 4244	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x4c302:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: 66d5df681876c_file010924.exe PID: 1424	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: 66d5df681876c_file010924.exe PID: 1424	JoeSecurity_babuk	Yara detected Babuk Ransomware	Joe Security
Process Memory Space: 66d5df681876c_file010924.exe PID: 1424	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x48f3f:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: 66d5df681876c_file010924.exe PID: 7864	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: 66d5df681876c_file010924.exe PID: 7864	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x4b63d:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Click to see the 47 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
33.2.66d5df681876c_file010924.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
33.2.66d5df681876c_file010924.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
33.2.66d5df681876c_file010924.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
2.2.66d5df681876c_file010924.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
2.2.66d5df681876c_file010924.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
2.2.66d5df681876c_file010924.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
29.2.66d5df681876c_file010924.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
29.2.66d5df681876c_file010924.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
29.2.66d5df681876c_file010924.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
20.2.66d5df681876c_file010924.exe.23615a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
20.2.66d5df681876c_file010924.exe.23615a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
20.2.66d5df681876c_file010924.exe.23615a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0.2.66d5df681876c_file010924.exe.23615a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0.2.66d5df681876c_file010924.exe.23615a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0.2.66d5df681876c_file010924.exe.23615a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
12.2.66d5df681876c_file010924.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
12.2.66d5df681876c_file010924.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
12.2.66d5df681876c_file010924.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
25.2.66d5df681876c_file010924.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
25.2.66d5df681876c_file010924.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
25.2.66d5df681876c_file010924.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
28.2.66d5df681876c_file010924.exe.23215a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
28.2.66d5df681876c_file010924.exe.23215a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
28.2.66d5df681876c_file010924.exe.23215a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
20.2.66d5df681876c_file010924.exe.23615a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
20.2.66d5df681876c_file010924.exe.23615a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
20.2.66d5df681876c_file010924.exe.23615a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.2.66d5df681876c_file010924.exe.23915a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.2.66d5df681876c_file010924.exe.23915a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
6.2.66d5df681876c_file010924.exe.23915a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.2.66d5df681876c_file010924.exe.23915a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.2.66d5df681876c_file010924.exe.23915a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
6.2.66d5df681876c_file010924.exe.23915a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
21.2.66d5df681876c_file010924.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
21.2.66d5df681876c_file010924.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
21.2.66d5df681876c_file010924.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
12.2.66d5df681876c_file010924.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
12.2.66d5df681876c_file010924.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
2.2.66d5df681876c_file010924.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
12.2.66d5df681876c_file010924.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
2.2.66d5df681876c_file010924.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
2.2.66d5df681876c_file010924.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
29.2.66d5df681876c_file010924.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
29.2.66d5df681876c_file010924.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
29.2.66d5df681876c_file010924.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
32.2.66d5df681876c_file010924.exe.23d15a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
32.2.66d5df681876c_file010924.exe.23d15a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
32.2.66d5df681876c_file010924.exe.23d15a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
25.2.66d5df681876c_file010924.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
25.2.66d5df681876c_file010924.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
25.2.66d5df681876c_file010924.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
28.2.66d5df681876c_file010924.exe.23215a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
28.2.66d5df681876c_file010924.exe.23215a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
28.2.66d5df681876c_file010924.exe.23215a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
24.2.66d5df681876c_file010924.exe.23815a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
24.2.66d5df681876c_file010924.exe.23815a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
24.2.66d5df681876c_file010924.exe.23815a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.2.66d5df681876c_file010924.exe.23e15a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.2.66d5df681876c_file010924.exe.23e15a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.2.66d5df681876c_file010924.exe.23e15a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
32.2.66d5df681876c_file010924.exe.23d15a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
32.2.66d5df681876c_file010924.exe.23d15a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
32.2.66d5df681876c_file010924.exe.23d15a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
33.2.66d5df681876c_file010924.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
33.2.66d5df681876c_file010924.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
33.2.66d5df681876c_file010924.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.2.66d5df681876c_file010924.exe.23e15a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.2.66d5df681876c_file010924.exe.23e15a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.2.66d5df681876c_file010924.exe.23e15a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0.2.66d5df681876c_file010924.exe.23615a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0.2.66d5df681876c_file010924.exe.23615a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0.2.66d5df681876c_file010924.exe.23615a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
24.2.66d5df681876c_file010924.exe.23815a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
24.2.66d5df681876c_file010924.exe.23815a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
24.2.66d5df681876c_file010924.exe.23815a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
21.2.66d5df681876c_file010924.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
21.2.66d5df681876c_file010924.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
21.2.66d5df681876c_file010924.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
Click to see the 73 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe" --AutoStart, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\66d5df681876c_file010924.exe, ProcessId: 6476, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.7 - Destination IP: 188.114.97.3

Timestamp:	2024-09-02T18:21:06.383076+0200
SID:	2803274
Severity:	2
Source Port:	49701
Destination Port:	443
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.7 - Destination IP: 188.114.97.3

Timestamp:	2024-09-02T18:21:08.618997+0200
SID:	2803274
Severity:	2
Source Port:	49702
Destination Port:	443
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET MALWARE Win32/Filecoder.STOP Variant Public Key Download - Source IP: 190.220.21.28 - Destination IP: 192.168.2.7

Timestamp:	2024-09-02T18:21:13.757401+0200
SID:	2036335
Severity:	1
Source Port:	80
Destination Port:	49706
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.7 - Destination IP: 190.220.21.28

Timestamp:	2024-09-02T18:21:13.756183+0200
SID:	2803274
Severity:	2
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE STOP Ransomware CnC Activity - Source IP: 192.168.2.7 - Destination IP: 190.220.21.28

Timestamp:	2024-09-02T18:21:13.756183+0200
SID:	2833438
Severity:	1
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.7 - Destination IP: 188.114.97.3

Timestamp:	2024-09-02T18:21:20.656245+0200
SID:	2803274
Severity:	2
Source Port:	49712
Destination Port:	443
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET MALWARE Win32/Filecoder.STOP Variant Public Key Download - Source IP: 190.220.21.28 - Destination IP: 192.168.2.7

Timestamp:	2024-09-02T18:21:13.757094+0200
SID:	2036335
Severity:	1
Source Port:	80
Destination Port:	49705
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.7 - Destination IP: 188.114.97.3

Timestamp:	2024-09-02T18:23:06.711561+0200
SID:	2803274
Severity:	2
Source Port:	49731
Destination Port:	443
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.7 - Destination IP: 188.114.97.3

Timestamp:	2024-09-02T18:21:33.150577+0200
SID:	2803274
Severity:	2
Source Port:	49725
Destination Port:	443
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.7 - Destination IP: 188.114.97.3

Timestamp:	2024-09-02T18:21:44.860802+0200
SID:	2803274
Severity:	2
Source Port:	49727
Destination Port:	443
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.7 - Destination IP: 188.114.97.3

Timestamp:	2024-09-02T18:21:10.605985+0200
SID:	2803274
Severity:	2
Source Port:	49703
Destination Port:	443
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.7 - Destination IP: 190.220.21.28

Timestamp:	2024-09-02T18:21:13.756182+0200
SID:	2803274
Severity:	2
Source Port:	49705
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key - Source IP: 192.168.2.7 - Destination IP: 190.220.21.28

Timestamp:	2024-09-02T18:21:13.756182+0200
SID:	2036334
Severity:	1
Source Port:	49705
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://cajgtus.com/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200	Avira URL Cloud: Label: malware
Source: http://cajgtus.com/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200GtY	Avira URL Cloud: Label: malware
Source: http://cajgtus.com/test1/get.phpj	Avira URL Cloud: Label: malware
Source: http://cajgtus.com/test1/get.php	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000018.00000002.1506583704.0000000002380000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Djvu {"Download URLs": [""], "C2 url": "http://cajgtus.com/test1/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nDo not ask assistants from youtube and recovery data sites for help in recovering your data.\r\nThey can use your free decryption quota and scam you.\r\nOur contact is emails in this text document only.\r\nYou can get and look video overview decrypt tool:\r\nhttps://wetransfer.com/downloads/abe121434ad837dd5bdd03878a14485820240531135509/34284d\r\nPrice of private key and decrypt software is $999.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $499.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshingmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelpyou@airmail.cc\r\n\r\nYour personal ID:\r\n0874PsawqS", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\del

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe

ReversingLabs: Detection: 71%

Multi AV Scanner detection for submitted file

Source: 66d5df681876c_file010924.exe

ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 66d5df681876c_file010924.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	2_2_0040E870
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_0040EA51 CryptDestroyHash,CryptReleaseContext,	2_2_0040EA51
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	2_2_0040EAA0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_0040EC68 CryptDestroyHash,CryptReleaseContext,	2_2_0040EC68
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,	2_2_00410FC0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_00411178 CryptDestroyHash,CryptReleaseContext,	2_2_00411178
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	12_2_0040E870
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	12_2_0040EAA0
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,	12_2_00410FC0
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_00411178 CryptDestroyHash,CryptReleaseContext,	12_2_00411178
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0040EA51 CryptDestroyHash,CryptReleaseContext,	12_2_0040EA51
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0040EC68 CryptDestroyHash,CryptReleaseContext,	12_2_0040EC68

Source: 66d5df681876c_file010924.exe, 00000007.00000003.1857302655.00000000006BD000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_a22face6-e

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Unpacked PE file: 2.2.66d5df681876c_file010924.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Unpacked PE file: 12.2.66d5df681876c_file010924.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Unpacked PE file: 21.2.66d5df681876c_file010924.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Unpacked PE file: 25.2.66d5df681876c_file010924.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Unpacked PE file: 29.2.66d5df681876c_file010924.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Unpacked PE file: 33.2.66d5df681876c_file010924.exe.400000.0.unpack

Source: 66d5df681876c_file010924.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\_readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\$WinREAgent\_readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\$WinREAgent\Scratch\_readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\jones\_readme.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	File created: C:\_readme.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	File created: C:\Users\user\_readme.txt	Jump to behavior

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49731 version: TLS 1.2

Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\che\p source: 66d5df681876c_file010924.exe, 00000007.00000003.1874024202.00000000035B6000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1873342035.0000000003596000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1862419723.000000000358D000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1862505786.0000000003598000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1874976893.00000000035C6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\e\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1926069584.000000000386F000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1873929708.0000000003857000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1927184545.0000000003876000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1898829486.000000000383F000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1874849344.000000000385E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\Data\P source: 66d5df681876c_file010924.exe, 00000007.00000003.1449642704.00000000034F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\e\\oC source: 66d5df681876c_file010924.exe, 00000007.00000003.1419014721.00000000006AD000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1419063280.00000000006B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\*8Ym9W source: 66d5df681876c_file010924.exe, 00000007.00000003.1874172143.00000000034AD000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1876173870.00000000034C4000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1841010847.00000000034C1000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1863595092.00000000034B3000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1857497513.00000000034C3000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1896115774.00000000034A1000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1897648882.00000000034C6000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1781668191.00000000034BD000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1940486710.00000000034C0000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1896183215.00000000034C3000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1925928920.00000000034B5000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1840831198.00000000034A1000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1927479762.00000000034BC000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1856785304.00000000034A9000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1862923885.00000000034AC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\\* source: 66d5df681876c_file010924.exe, 00000007.00000003.1407550736.0000000003018000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\AC\D@y source: 66d5df681876c_file010924.exe, 00000007.00000003.1939452087.0000000003E58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1923844523.0000000003DE8000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1939452087.0000000003DE8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1503154342.0000000003586000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1503857906.0000000002FED000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1781457345.0000000003540000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1781705167.0000000003596000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1646227393.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1449688125.000000000358E000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1503665626.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1449273396.0000000003560000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1781558146.0000000003578000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1644137786.000000000357F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1781606614.00000000034CE000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1841010847.00000000034C1000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1644137786.000000000357F000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1840831198.00000000034A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1841840045.00000000038DF000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1862345075.000000000392F000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1862065132.00000000038AE000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1841612895.00000000038B7000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1855268527.00000000038AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\s\X- source: 66d5df681876c_file010924.exe, 00000007.00000003.1841566342.000000000355A000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1842024201.000000000355B000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1840659359.0000000003540000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1842496402.0000000003581000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1841761179.000000000355B000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1840136245.0000000003515000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1842318558.000000000357F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1782551785.00000000034A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1842736440.000000000383F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1921818522.0000000003CC7000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1897447370.0000000003BC1000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1928412478.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1896722726.0000000003C68000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1898391125.0000000003CB8000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1897980412.0000000003C87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*^R source: 66d5df681876c_file010924.exe, 00000007.00000003.1644137786.000000000357F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1782075407.00000000035DA000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1841048090.0000000003630000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1782415161.0000000003614000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1782250781.00000000035DB000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1781335365.00000000035BE000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1782358386.0000000003608000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1646227393.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1782627575.000000000362C000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1840928675.0000000003618000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1842632171.0000000003633000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1840031953.00000000035DE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: 66d5df681876c_file010924.exe, 66d5df681876c_file010924.exe, 0000000C.00000002.2488460103.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000014.00000002.1380613748.0000000002360000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\Etx source: 66d5df681876c_file010924.exe, 00000007.00000003.1897447370.0000000003BC1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\.q source: 66d5df681876c_file010924.exe, 00000007.00000003.1644137786.000000000357F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\R\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1644137786.000000000357F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 66d5df681876c_file010924.exe, 00000007.00000003.1354753858.0000000003440000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdesk\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1449434066.00000000034FF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1449688125.000000000358E000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1449273396.0000000003560000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: 66d5df681876c_file010924.exe, 00000000.00000002.1232991821.0000000002360000.00000040.00001000.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000002.00000002.1252295528.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000005.00000002.1261436866.00000000023E0000.00000040.00001000.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000006.00000002.1282193755.0000000002390000.00000040.00001000.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 0000000C.00000002.2488460103.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000014.00000002.1380613748.0000000002360000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\06\n [<k source: 66d5df681876c_file010924.exe, 00000007.00000003.1863411961.0000000003005000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\9 source: 66d5df681876c_file010924.exe, 00000007.00000003.1939452087.0000000003E58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\` source: 66d5df681876c_file010924.exe, 00000007.00000003.1856829390.0000000003638000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1875087794.0000000003640000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1841048090.0000000003630000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1873658789.00000000035CE000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1873342035.0000000003596000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1873863860.00000000035DE000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1856302765.00000000035E6000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1856700609.0000000003618000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1840928675.0000000003618000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1842632171.0000000003633000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1874583286.000000000361A000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1840031953.00000000035DE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1926069584.000000000386F000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1926339843.0000000003AB6000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1927184545.0000000003876000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1927721951.00000000038AF000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1940441236.000000000389F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ate\d source: 66d5df681876c_file010924.exe, 00000007.00000003.1941224453.00000000035D6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1503426204.0000000003016000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1414687237.0000000003052000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1449970090.0000000003047000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1503544842.0000000003047000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1414539784.0000000003039000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1414572819.000000000304A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1841678052.00000000037B1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Uz source: 66d5df681876c_file010924.exe, 00000007.00000003.1895097511.00000000038AE000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1927368986.000000000392F000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1925557469.00000000038E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\ules\; source: 66d5df681876c_file010924.exe, 00000007.00000003.1450042666.0000000003540000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1449434066.00000000034FF000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1781457345.0000000003540000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1503598195.0000000003540000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1645701345.0000000003543000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1503233619.000000000350C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\o source: 66d5df681876c_file010924.exe, 00000007.00000003.1926069584.000000000386F000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1873929708.0000000003857000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1927184545.0000000003876000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1898829486.000000000383F000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1874849344.000000000385E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\:\UML source: 66d5df681876c_file010924.exe, 00000007.00000003.1841840045.00000000038DF000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1862345075.000000000392F000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1862065132.00000000038AE000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1841612895.00000000038B7000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1855268527.00000000038AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\<9 source: 66d5df681876c_file010924.exe, 00000007.00000003.1863411961.0000000003005000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1940798434.00000000035F6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\:\Users8 source: 66d5df681876c_file010924.exe, 00000007.00000003.1920725014.00000000039FD000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1920436665.00000000039A8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\ing source: 66d5df681876c_file010924.exe, 00000007.00000003.1414632632.0000000003014000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1503426204.0000000003016000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1414598195.0000000003009000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1503810721.0000000003027000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1895097511.00000000038AE000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1927368986.000000000392F000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1925557469.00000000038E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\Data\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1856221697.00000000034EA000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1856521488.0000000003519000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1862785834.000000000352D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1407734481.0000000002FEF000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1407618047.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1414663073.0000000002FF1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1941309860.00000000037B1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\f source: 66d5df681876c_file010924.exe, 00000007.00000003.1503888368.0000000002FD5000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1781997057.0000000002FDA000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1646227393.0000000002FD5000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1781792022.0000000002FD5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1840619727.00000000035B6000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1781457345.0000000003540000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1781705167.0000000003596000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1781997057.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1840136245.0000000003515000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1781558146.0000000003578000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1782471207.0000000003010000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1781792022.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\40m source: 66d5df681876c_file010924.exe, 00000007.00000003.1873929708.0000000003857000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1874849344.000000000385E000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1862690814.000000000383F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1926339843.0000000003AB6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\.watzz/ source: 66d5df681876c_file010924.exe, 00000007.00000003.1873929708.0000000003857000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1874849344.000000000385E000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1862690814.000000000383F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\X source: 66d5df681876c_file010924.exe, 00000007.00000003.1842736440.000000000383F000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1898829486.000000000383F000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1862690814.000000000383F000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1941365593.000000000383F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\n\. source: 66d5df681876c_file010924.exe, 00000007.00000003.1926069584.000000000386F000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1927184545.0000000003876000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1927721951.00000000038AF000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1940441236.000000000389F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\= source: 66d5df681876c_file010924.exe, 00000007.00000003.1876772587.0000000003BB1000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1897447370.0000000003BC1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\) source: 66d5df681876c_file010924.exe, 00000007.00000003.1449273396.0000000003560000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1876772587.0000000003BB1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1926173964.0000000003525000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1925928920.00000000034F9000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1921818522.0000000003BD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\s\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1856221697.00000000034EA000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1856521488.0000000003519000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1862785834.000000000352D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\G[- source: 66d5df681876c_file010924.exe, 00000007.00000003.1921818522.0000000003CC7000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1928412478.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1896722726.0000000003C68000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1898391125.0000000003CB8000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1897980412.0000000003C87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\] source: 66d5df681876c_file010924.exe, 00000007.00000003.1862736852.00000000038D7000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1841840045.00000000038DF000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1862065132.00000000038AE000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1841612895.00000000038B7000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1855268527.00000000038AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\s\> source: 66d5df681876c_file010924.exe, 00000007.00000003.1874024202.00000000035B6000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1873342035.0000000003596000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1862419723.000000000358D000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1862505786.0000000003598000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1874976893.00000000035C6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\he\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1781606614.00000000034CE000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1840342955.00000000034D4000.00000004.00000020.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	System file written: C:\Users\user\AppData\Local\Temp\chrome.exe			Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	System file written: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalState\ThirdPartyNotice.html			Jump to behavior

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	2_2_00410160
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	2_2_0040F730
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	2_2_0040FB98
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	12_2_0040F730
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_00410160 Sleep,PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	12_2_00410160
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	12_2_0040FB98

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

Code function: 0_2_00403626 GetNumberFormatW,CreateJobObjectW,GetConsoleAliasExesW,EnumDateFormatsA,CreateNamedPipeA,GetProcessVersion,SetFileShortNameA,SetProcessShutdownParameters,GetCalendarInfoA,LoadLibraryW,GetModuleFileNameW,GetNumberFormatA,GetLogicalDriveStringsA,VerifyVersionInfoW,SetVolumeMountPointA,CreateHardLinkA,UnlockFile,SetCommState,GetTempPathA,_memset,CommConfigDialogW,CreateActCtxA,EnumCalendarInfoExA,GetLocaleInfoA,ReadConsoleInputW,SetVolumeMountPointA,GetConsoleAliasExesLengthW,CreateEventW,

0_2_00403626

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2833438 - Severity 1 - ETPRO MALWARE STOP Ransomware CnC Activity : 192.168.2.7:49706 -> 190.220.21.28:80
Source: Network traffic	Suricata IDS: 2036335 - Severity 1 - ET MALWARE Win32/Filecoder.STOP Variant Public Key Download : 190.220.21.28:80 -> 192.168.2.7:49706
Source: Network traffic	Suricata IDS: 2036334 - Severity 1 - ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key : 192.168.2.7:49705 -> 190.220.21.28:80
Source: Network traffic	Suricata IDS: 2036335 - Severity 1 - ET MALWARE Win32/Filecoder.STOP Variant Public Key Download : 190.220.21.28:80 -> 192.168.2.7:49705

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://cajgtus.com/test1/get.php

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View

ASN Name: AMXArgentinaSAAR AMXArgentinaSAAR

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49706 -> 190.220.21.28:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49705 -> 190.220.21.28:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49702 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49727 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49703 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49731 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49725 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49712 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49701 -> 188.114.97.3:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

Code function: 2_2_0040CF10 _memset,InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

2_2_0040CF10

Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200&first=true HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: cajgtus.com
Source: global traffic	HTTP traffic detected: GET /test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200 HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: cajgtus.com

Source: 66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: 66d5df681876c_file010924.exe, 0000000C.00000003.1345015807.0000000003570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1345195304.0000000003440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.twitter.com/ equals www.twitter.com (Twitter)
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1345267437.0000000003440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.youtube.com/ equals www.youtube.com (Youtube)
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: api.2ip.ua
Source: global traffic	DNS traffic detected: DNS query: cajgtus.com

Source: 66d5df681876c_file010924.exe, 0000000C.00000002.2491283799.0000000000679000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test1/get.php
Source: 66d5df681876c_file010924.exe, 0000000C.00000002.2491283799.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 0000000C.00000002.2491283799.0000000000638000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200
Source: 66d5df681876c_file010924.exe, 0000000C.00000002.2491283799.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200GtY
Source: 66d5df681876c_file010924.exe, 0000000C.00000002.2491283799.0000000000679000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test1/get.phpj
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1355935941.0000000003440000.00000004.00001000.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1379289635.0000000003440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 66d5df681876c_file010924.exe, 00000000.00000002.1232991821.0000000002360000.00000040.00001000.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000002.00000002.1252295528.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000005.00000002.1261436866.00000000023E0000.00000040.00001000.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000006.00000002.1282193755.0000000002390000.00000040.00001000.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 0000000C.00000002.2488460103.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000014.00000002.1380613748.0000000002360000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1847950905.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://jedwatson.github.io/classnames
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1847950905.0000000003300000.00000004.00001000.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1846853104.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://underscorejs.org/LICENSE
Source: 66d5df681876c_file010924.exe, 0000000C.00000003.1344918775.0000000003570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.amazon.com/
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1345031667.0000000003440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/
Source: 66d5df681876c_file010924.exe, 0000000C.00000003.1345086458.0000000003570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.live.com/
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1345122319.0000000003440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.nytimes.com/
Source: 66d5df681876c_file010924.exe, 00000015.00000002.1393524836.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: 66d5df681876c_file010924.exe, 0000000C.00000003.1345160231.0000000003570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.reddit.com/
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1345195304.0000000003440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.twitter.com/
Source: 66d5df681876c_file010924.exe, 0000000C.00000003.1345249561.0000000003570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.wikipedia.com/
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1345267437.0000000003440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com/
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1369978087.0000000003440000.00000004.00001000.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1353189092.0000000003440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://allegro.pl/
Source: 66d5df681876c_file010924.exe, 00000015.00000002.1394638850.0000000000748000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/
Source: 66d5df681876c_file010924.exe, 0000000C.00000002.2491283799.0000000000679000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/9
Source: 66d5df681876c_file010924.exe, 00000002.00000002.1252430363.000000000062D000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000002.00000003.1251377452.000000000062D000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000002.00000003.1250134757.000000000062C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/;
Source: 66d5df681876c_file010924.exe, 00000015.00000002.1394638850.0000000000748000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000015.00000002.1394638850.0000000000796000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json
Source: 66d5df681876c_file010924.exe, 00000015.00000002.1394638850.0000000000708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonHB
Source: 66d5df681876c_file010924.exe, 00000015.00000002.1394638850.0000000000796000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonI8=d8
Source: 66d5df681876c_file010924.exe, 00000015.00000002.1394638850.0000000000708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonPC
Source: 66d5df681876c_file010924.exe, 0000000C.00000002.2491283799.0000000000679000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonQ
Source: 66d5df681876c_file010924.exe, 0000000C.00000002.2491283799.0000000000638000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonRx
Source: 66d5df681876c_file010924.exe, 00000015.00000002.1394638850.0000000000708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonWi
Source: 66d5df681876c_file010924.exe, 00000015.00000002.1394638850.0000000000708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsoni
Source: 66d5df681876c_file010924.exe, 00000002.00000003.1251308792.000000000064B000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000002.00000003.1251353345.000000000064E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonj
Source: 66d5df681876c_file010924.exe, 00000015.00000002.1394638850.0000000000708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonp
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1273669336.0000000000656000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonv
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1273669336.000000000061C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/q
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1357385958.0000000003440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://artifacts.dev.azure.com/office/_apis/symbol/symsrv/privacy-sdx.win32.bundle.js.map/e3b0c4429
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1369978087.0000000003440000.00000004.00001000.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1353189092.0000000003440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://assets.activity.windows.com
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1369978087.0000000003440000.00000004.00001000.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1353189092.0000000003440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://assets.activity.windows.com/v1/assets
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1369978087.0000000003440000.00000004.00001000.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1353189092.0000000003440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://assets.activity.windows.com/v1/assets/$batch
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1877581489.0000000000545000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1357773774.0000000003440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/generate_204
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/:
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/J
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/:
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/J
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/:
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/J
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1846312432.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?sv=2017-07-29&sr
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1849676514.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://fb.me/react-polyfills
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1846853104.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/focus-trap/tabbable/blob/master/LICENSE
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1847667825.0000000003300000.00000004.00001000.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1847950905.0000000003300000.00000004.00001000.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1846853104.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jsstyles/css-vendor
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1357773774.0000000003440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/react-native-community/react-native-netinfo
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1847950905.0000000003300000.00000004.00001000.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1846853104.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://lodash.com/
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1847950905.0000000003300000.00000004.00001000.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1846853104.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://lodash.com/license
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/:
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/J
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1373069786.0000000003440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1850189989.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mths.be/fromcodepoint
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1847950905.0000000003300000.00000004.00001000.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1846853104.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://openjsf.org/
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1849432694.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office.com/
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1849432694.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office.com/M365.Access
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1849432694.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office.com/User.ReadWrite
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1849676514.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://reactjs.org/docs/error-decoder.html?invariant=
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1849804677.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1849432694.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.com/api/v2.0/Users(
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1849432694.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.com/imageB2/v1.0/users/
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1849432694.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office365.us/api/v2.0/Users(
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1849432694.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office365.us/imageB2/v1.0/users/
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: 66d5df681876c_file010924.exe, 0000000C.00000002.2491283799.0000000000716000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wetransfer.c
Source: 66d5df681876c_file010924.exe, 0000000C.00000002.2491283799.0000000000716000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wetransfer.com/downloads
Source: 66d5df681876c_file010924.exe, 0000000C.00000002.2491283799.0000000000716000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wetransfer.com/downloads(
Source: 66d5df681876c_file010924.exe, 0000000C.00000002.2491283799.0000000000716000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wetransfer.com/downloads/abe121434ad837dd5bdd038
Source: 66d5df681876c_file010924.exe, 0000000C.00000002.2491283799.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wetransfer.com/downloads/abe121434ad837dd5bdd03878a14485820240531135509/34284d
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.aliexpress.com/
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.ca/
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.co.uk/
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.de/
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.fr/
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.avito.ru/
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.baidu.com/
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.bbc.co.uk/
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ctrip.com/
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.co.uk/
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.de/
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1877581489.0000000000545000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ifeng.com/
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.iqiyi.com/
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.leboncoin.fr/
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1850244069.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/finance?OCID=WSB_TL_FN&PC=wsbmsnqs
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1850244069.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/news?OCID=WSB_QS_NE&PC=wsbmsnqs
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1850244069.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/sports?OCID=WSB_TL_EL&PC=wsbmsnqs
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1850244069.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/weather?OCID=WSB_QS_WE&PC=wsbmsnqs
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.olx.pl/
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.wykop.pl/
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/:
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49731 version: TLS 1.2

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

Code function: 2_2_004822E0 CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetObjectA,BitBlt,GetBitmapBits,SelectObject,DeleteObject,DeleteDC,DeleteDC,DeleteDC,

2_2_004822E0

Spam, unwanted Advertisements and Ransom Demands

Found ransom note / readme

Source: C:\_readme.txt

Dropped file: ATTENTION!Don't worry, you can return all your files!All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.The only method of recovering files is to purchase decrypt tool and unique key for you.This software will decrypt all your encrypted files.What guarantees you have?You can send one of your encrypted file from your PC and we decrypt it for free.But we can decrypt only 1 file for free. File must not contain valuable information.Do not ask assistants from youtube and recovery data sites for help in recovering your data.They can use your free decryption quota and scam you.Our contact is emails in this text document only.You can get and look video overview decrypt tool:https://wetransfer.com/downloads/abe121434ad837dd5bdd03878a14485820240531135509/34284dPrice of private key and decrypt software is $999.Discount 50% available if you contact us first 72 hours, that's price for you is $499.Please note that you'll never restore your data without payment.Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.To get this software you need write on our e-mail:support@freshingmail.topReserve e-mail address to contact us:datarestorehelpyou@airmail.ccYour personal ID:0874PsawqStp8qj68iQwedJUixDcnQEpfFZzicxmbmmdy7tJyT

Jump to dropped file

Yara detected Babuk Ransomware

Source: Yara match

File source: Process Memory Space: 66d5df681876c_file010924.exe PID: 1424, type: MEMORYSTR

Yara detected Djvu Ransomware

Source: Yara match	File source: 33.2.66d5df681876c_file010924.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.66d5df681876c_file010924.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.66d5df681876c_file010924.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.66d5df681876c_file010924.exe.23615a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.66d5df681876c_file010924.exe.23615a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.66d5df681876c_file010924.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.66d5df681876c_file010924.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.66d5df681876c_file010924.exe.23215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.66d5df681876c_file010924.exe.23615a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.66d5df681876c_file010924.exe.23915a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.66d5df681876c_file010924.exe.23915a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.66d5df681876c_file010924.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.66d5df681876c_file010924.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.66d5df681876c_file010924.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.66d5df681876c_file010924.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.66d5df681876c_file010924.exe.23d15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.66d5df681876c_file010924.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.66d5df681876c_file010924.exe.23215a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.66d5df681876c_file010924.exe.23815a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.66d5df681876c_file010924.exe.23e15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.66d5df681876c_file010924.exe.23d15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.66d5df681876c_file010924.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.66d5df681876c_file010924.exe.23e15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.66d5df681876c_file010924.exe.23615a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.66d5df681876c_file010924.exe.23815a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.66d5df681876c_file010924.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.1506583704.0000000002380000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2444379499.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1624809590.0000000002320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1522339744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1635910279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2454668093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1261436866.00000000023E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1232991821.0000000002360000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1282193755.0000000002390000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1252295528.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2488460103.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1393524836.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1380613748.0000000002360000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 66d5df681876c_file010924.exe PID: 6228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 66d5df681876c_file010924.exe PID: 6476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 66d5df681876c_file010924.exe PID: 1512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 66d5df681876c_file010924.exe PID: 4244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 66d5df681876c_file010924.exe PID: 1424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 66d5df681876c_file010924.exe PID: 7864, type: MEMORYSTR

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	File moved: C:\Users\user\Desktop\LFOPODGVOH.mp3	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	File deleted: C:\Users\user\Desktop\LFOPODGVOH.mp3	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File moved: C:\Users\user\Desktop\UNKRLCVOHV.png	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File deleted: C:\Users\user\Desktop\UNKRLCVOHV.png	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File moved: C:\Users\user\Desktop\LFOPODGVOH.pdf	Jump to behavior

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File dropped: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{f2609905-bc23-4c47-8645-cbcf38bc7d2c}\appsglobals.txt -> decrypter\dvddecrypter.exe12438{6d809377-6af0-444b-8957-a3773f02200e}\renderdoc\qrenderdoc.exe12438{6d809377-6af0-444b-8957-a3773f02200e}\microsoft system center 2012 r2\service manager\microsoft.enterprisemanagement.servicemanager.ui.console.exe12438microsoft.appv.603b45325cf2a147a217bc0826e85cce12439{7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e}\pro evolution soccer 2018\pes2018.exe12439c:\ignition\ignitioncasino.exe12440{7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e}\splashdata\splashid safe\splashid safe.exe12440{6d809377-6af0-444b-8957-a3773f02200e}\native instruments\komplete kontrol\komplete kontrol.exe1244025342asdf3333.stoppuhrtimer_1xbryz0n7krfa!app12441{6d809377-6af0-444b-8957-a3773f02200e}\owasp\zed attack proxy\zap.exe12441{6d809377-6af0-444b-8957-a3773f02200e}\dell\toad for oracle 2015 r2 suite\toad for oracle 12.8\toad.exe12441{7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e}\mysql\mysql workbench 6.0 ce\mysqlworkbench.exe12441212377tik.7tik-tiktokforwindows_da70t93mgq52j!app12442{7c	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File dropped: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{2ce60361-e872-41fb-bae7-eec2f580d4fb}\0.0.filtertrie.intermediate.txt -> decryption settings~decrease zoom level~decrease volume~decrease mouse speed~decrease mouse acceleration~decrease brightness~decode~decice~deault~deaf~deafult~ddevice~daylight saving time on or off~davice~dates~date time~date settings~date and time~date and time settings~date and time from a time server~date and time formats~data~data you send to microsoft~data viewer~data usage overview~data to improve narrator~data systemwide~data settings~data sense~data saver~data restore~data plan~data limit~data instead of wifi~data for all apps~data connection with other devices~data captured by windows mixed reality~dark~darker touch feedback~dark theme~dark theme settings~dark mode systemwide~dark mode settings~dark mode for apps~dark colours~dark colors~dafault~c~cutting and pasting~cut and paste~customizing~customize~customize narrator sounds setting~customize narrator sound effects setting~customising~cust	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File dropped: C:\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/abe121434ad837dd5bdd03878a14485820240531135509/34284dprice of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File dropped: C:\$WinREAgent\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/abe121434ad837dd5bdd03878a14485820240531135509/34284dprice of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File dropped: C:\$WinREAgent\Scratch\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/abe121434ad837dd5bdd03878a14485820240531135509/34284dprice of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File dropped: C:\Users\jones\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/abe121434ad837dd5bdd03878a14485820240531135509/34284dprice of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address	Jump to dropped file
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	File dropped: C:\Users\user\AppData\Local\VirtualStore\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/abe121434ad837dd5bdd03878a14485820240531135509/34284dprice of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address	Jump to dropped file
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	File dropped: C:\Users\user\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/abe121434ad837dd5bdd03878a14485820240531135509/34284dprice of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address	Jump to dropped file

Writes many files with high entropy

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{9a386491-5394-47a0-a408-e4e3a9d60139}\0.0.filtertrie.intermediate.txt entropy: 7.99541629417	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\jones\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpg entropy: 7.99734477506	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{9a386491-5394-47a0-a408-e4e3a9d60139}\Apps.ft entropy: 7.99696784612	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{70bdcd3f-91d1-45d6-848a-0c765c55504f}\0.0.filtertrie.intermediate.txt entropy: 7.99619580346	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{70bdcd3f-91d1-45d6-848a-0c765c55504f}\Apps.ft entropy: 7.99638538504	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json entropy: 7.99518799871	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm entropy: 7.99375107353	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite entropy: 7.99806344344	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{f78182d0-da37-4a03-8fe1-b917f4ad5bb8}\0.0.filtertrie.intermediate.txt entropy: 7.99513447547	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{f78182d0-da37-4a03-8fe1-b917f4ad5bb8}\Apps.ft entropy: 7.99689654847	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm entropy: 7.99471971553	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite entropy: 7.99736990992	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm entropy: 7.99498296249	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite entropy: 7.99807253666	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{f2609905-bc23-4c47-8645-cbcf38bc7d2c}\settingsglobals.txt entropy: 7.9952403365	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{f2609905-bc23-4c47-8645-cbcf38bc7d2c}\settingssynonyms.txt entropy: 7.99826459819	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite-shm entropy: 7.99416097866	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite entropy: 7.99813187876	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico entropy: 7.99865877063	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db entropy: 7.99564064923	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico entropy: 7.99753409561	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\D3DSCache\f4d41c5d09ae781\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx entropy: 7.99768564873	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt entropy: 7.99505226627	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\jones\AppData\Local\ConnectedDevicesPlatform\L.jones\ActivitiesCache.db-shm entropy: 7.9936592669	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\jones\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt entropy: 7.99050960649	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin entropy: 7.99754247681	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\first_party_sets.db entropy: 7.99642334442	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db entropy: 7.99275977369	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db entropy: 7.99276670871	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db entropy: 7.99222281284	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db entropy: 7.9925754731	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule230170v1.xml entropy: 7.99191674896	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule230172v1.xml entropy: 7.99458045252	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule230172v1.xml entropy: 7.99435233482	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule230170v1.xml entropy: 7.99334846214	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001a.db entropy: 7.99820906494	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001b.db entropy: 7.99842401779	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000003.db entropy: 7.99778873592	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db entropy: 7.99816703516	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl entropy: 7.99209719022	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml entropy: 7.99720369554	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalState\ThirdPartyNotice.html entropy: 7.99829710199	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat entropy: 7.99874219332	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat.LOG1 entropy: 7.99768554768	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat.LOG2 entropy: 7.99589123013	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite-shm entropy: 7.99439303401	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\PhotosAppTracing_startedInBGMode.etl entropy: 7.99757928563	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\jones\AppData\Local\IconCache.db entropy: 7.99249873904	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule440007v3.xml entropy: 7.9959867764	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule440002v9.xml entropy: 7.99516036815	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat entropy: 7.99526713251	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2 entropy: 7.9948399456	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat entropy: 7.9962678907	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxCommAlwaysOnLog.etl entropy: 7.99745043519	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxCommAlwaysOnLog_Old.etl entropy: 7.99696208992	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\settings.dat entropy: 7.99115903383	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\jones\Local Settings\IconCache.db.watz (copy) entropy: 7.99249873904	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\Local Settings\D3DSCache\f4d41c5d09ae781\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx.watz (copy) entropy: 7.99768564873	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\Local Settings\Temp\acrobat_sbx\acroNGLLog.txt.watz (copy) entropy: 7.99505226627	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\Local Settings\Temp\scoped_dir5952_991612011\10f5ef49-b826-4bae-a469-4fe1cdaa885f.tmp.watz (copy) entropy: 7.9911912328	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\jones\Local Settings\ConnectedDevicesPlatform\L.jones\ActivitiesCache.db-shm.watz (copy) entropy: 7.9936592669	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\jones\Local Settings\Temp\acrobat_sbx\acroNGLLog.txt.watz (copy) entropy: 7.99050960649	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\Local Settings\Adobe\Acrobat\DC\UserCache64.bin.watz (copy) entropy: 7.99754247681	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\Local Settings\Google\Chrome\User Data\first_party_sets.db.watz (copy) entropy: 7.99642334442	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\Local Settings\Microsoft\Office\OTele\excel.exe.db.watz (copy) entropy: 7.99275977369	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\Local Settings\Microsoft\Office\OTele\officec2rclient.exe.db.watz (copy) entropy: 7.99276670871	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\Local Settings\Microsoft\Office\OTele\officeclicktorun.exe.db.watz (copy) entropy: 7.99222281284	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\Local Settings\Microsoft\Office\OTele\officesetup.exe.db.watz (copy) entropy: 7.9925754731	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001a.db.watz (copy) entropy: 7.99820906494	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001b.db.watz (copy) entropy: 7.99842401779	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000003.db.watz (copy) entropy: 7.99778873592	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db.watz (copy) entropy: 7.99816703516	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl.watz (copy) entropy: 7.99209719022	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\Local Settings\Microsoft\Windows\Shell\DefaultLayouts.xml.watz (copy) entropy: 7.99720369554	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\Local Settings\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalState\ThirdPartyNotice.html.watz (copy) entropy: 7.99829710199	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\Local Settings\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat.watz (copy) entropy: 7.99874219332	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\Local Settings\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat.LOG1.watz (copy) entropy: 7.99768554768	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\Local Settings\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat.LOG2.watz (copy) entropy: 7.99589123013	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\Local Settings\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite-shm.watz (copy) entropy: 7.99439303401	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\Local Settings\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\PhotosAppTracing_startedInBGMode.etl.watz (copy) entropy: 7.99757928563	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\Local Settings\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat.watz (copy) entropy: 7.99526713251	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\Local Settings\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2.watz (copy) entropy: 7.9948399456	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\Local Settings\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat.watz (copy) entropy: 7.9962678907	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\Local Settings\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxCommAlwaysOnLog.etl.watz (copy) entropy: 7.99745043519	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\Local Settings\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxCommAlwaysOnLog_Old.etl.watz (copy) entropy: 7.99696208992	Jump to dropped file
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\user\Local Settings\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\settings.dat.watz (copy) entropy: 7.99115903383	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 33.2.66d5df681876c_file010924.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 33.2.66d5df681876c_file010924.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 2.2.66d5df681876c_file010924.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 2.2.66d5df681876c_file010924.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 29.2.66d5df681876c_file010924.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 29.2.66d5df681876c_file010924.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 20.2.66d5df681876c_file010924.exe.23615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 20.2.66d5df681876c_file010924.exe.23615a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0.2.66d5df681876c_file010924.exe.23615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0.2.66d5df681876c_file010924.exe.23615a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 12.2.66d5df681876c_file010924.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.2.66d5df681876c_file010924.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 25.2.66d5df681876c_file010924.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 25.2.66d5df681876c_file010924.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 28.2.66d5df681876c_file010924.exe.23215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 28.2.66d5df681876c_file010924.exe.23215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 20.2.66d5df681876c_file010924.exe.23615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 20.2.66d5df681876c_file010924.exe.23615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.2.66d5df681876c_file010924.exe.23915a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.2.66d5df681876c_file010924.exe.23915a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.2.66d5df681876c_file010924.exe.23915a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.2.66d5df681876c_file010924.exe.23915a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 21.2.66d5df681876c_file010924.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 21.2.66d5df681876c_file010924.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 12.2.66d5df681876c_file010924.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.2.66d5df681876c_file010924.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 2.2.66d5df681876c_file010924.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 2.2.66d5df681876c_file010924.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 29.2.66d5df681876c_file010924.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 29.2.66d5df681876c_file010924.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 32.2.66d5df681876c_file010924.exe.23d15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 32.2.66d5df681876c_file010924.exe.23d15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 25.2.66d5df681876c_file010924.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 25.2.66d5df681876c_file010924.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 28.2.66d5df681876c_file010924.exe.23215a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 28.2.66d5df681876c_file010924.exe.23215a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 24.2.66d5df681876c_file010924.exe.23815a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 24.2.66d5df681876c_file010924.exe.23815a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.2.66d5df681876c_file010924.exe.23e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.2.66d5df681876c_file010924.exe.23e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 32.2.66d5df681876c_file010924.exe.23d15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 32.2.66d5df681876c_file010924.exe.23d15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 33.2.66d5df681876c_file010924.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 33.2.66d5df681876c_file010924.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.2.66d5df681876c_file010924.exe.23e15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.2.66d5df681876c_file010924.exe.23e15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0.2.66d5df681876c_file010924.exe.23615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0.2.66d5df681876c_file010924.exe.23615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 24.2.66d5df681876c_file010924.exe.23815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 24.2.66d5df681876c_file010924.exe.23815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 21.2.66d5df681876c_file010924.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 21.2.66d5df681876c_file010924.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000020.00000002.2444319207.0000000002332000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001C.00000002.1624704973.000000000228E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000018.00000002.1506583704.0000000002380000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000020.00000002.2444379499.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000006.00000002.1282127310.00000000022FE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001C.00000002.1624809590.0000000002320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000019.00000002.1522339744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000019.00000002.1522339744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000000.00000002.1232942398.00000000022C9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001D.00000002.1635910279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000001D.00000002.1635910279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000014.00000002.1380517656.0000000002181000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000021.00000002.2454668093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000021.00000002.2454668093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000005.00000002.1261436866.00000000023E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000005.00000002.1261344737.000000000233F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1232991821.0000000002360000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000006.00000002.1282193755.0000000002390000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000002.00000002.1252295528.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000002.00000002.1252295528.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000018.00000002.1506412476.00000000022EA000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000C.00000002.2488460103.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000C.00000002.2488460103.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000015.00000002.1393524836.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000015.00000002.1393524836.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000014.00000002.1380613748.0000000002360000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 66d5df681876c_file010924.exe PID: 6228, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 66d5df681876c_file010924.exe PID: 6476, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 66d5df681876c_file010924.exe PID: 1512, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 66d5df681876c_file010924.exe PID: 4244, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 66d5df681876c_file010924.exe PID: 1424, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 66d5df681876c_file010924.exe PID: 7864, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_02360110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,	0_2_02360110
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_023E0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,	5_2_023E0110
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_02390110 VirtualAlloc,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,	6_2_02390110

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_0040D261	0_2_0040D261
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_0040B88F	0_2_0040B88F
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_0040C4BC	0_2_0040C4BC
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_00408504	0_2_00408504
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_0040B33E	0_2_0040B33E
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_02367220	0_2_02367220
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_023E22C0	0_2_023E22C0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_023AE37C	0_2_023AE37C
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_02367393	0_2_02367393
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_0237F030	0_2_0237F030
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_0236A026	0_2_0236A026
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_0236B000	0_2_0236B000
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_0236B0B0	0_2_0236B0B0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_023630F0	0_2_023630F0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_023670E0	0_2_023670E0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_023700D0	0_2_023700D0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_02369120	0_2_02369120
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_023AE141	0_2_023AE141
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_0238D1A4	0_2_0238D1A4
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_023AB69F	0_2_023AB69F
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_0236A699	0_2_0236A699
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_0236E6E0	0_2_0236E6E0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_0236C760	0_2_0236C760
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_0236A79A	0_2_0236A79A
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_0238D7F1	0_2_0238D7F1
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_02363520	0_2_02363520
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_02367520	0_2_02367520
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_0236CA10	0_2_0236CA10
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_02367A80	0_2_02367A80
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_02370B00	0_2_02370B00
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_02362B60	0_2_02362B60
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_0236DBE0	0_2_0236DBE0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_02367880	0_2_02367880
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_023818D0	0_2_023818D0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_0237A930	0_2_0237A930
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_0236A916	0_2_0236A916
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_0238F9B0	0_2_0238F9B0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_0238E9A3	0_2_0238E9A3
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_023659F7	0_2_023659F7
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_023689D0	0_2_023689D0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_02368E60	0_2_02368E60
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_02394E9F	0_2_02394E9F
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_023A2D1E	0_2_023A2D1E
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_02365DF7	0_2_02365DF7
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_02365DE7	0_2_02365DE7
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_0040D240	2_2_0040D240
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_00419F90	2_2_00419F90
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_0040C070	2_2_0040C070
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_0042E003	2_2_0042E003
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_00408030	2_2_00408030
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_00410160	2_2_00410160
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_004C8113	2_2_004C8113
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_004021C0	2_2_004021C0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_0044237E	2_2_0044237E
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_004084C0	2_2_004084C0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_004344FF	2_2_004344FF
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_0043E5A3	2_2_0043E5A3
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_0040A660	2_2_0040A660
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_0041E690	2_2_0041E690
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_00406740	2_2_00406740
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_00402750	2_2_00402750
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_0040A710	2_2_0040A710
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_00408780	2_2_00408780
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_0042C804	2_2_0042C804
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_00406880	2_2_00406880
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_004349F3	2_2_004349F3
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_004069F3	2_2_004069F3
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_00402B80	2_2_00402B80
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_00406B80	2_2_00406B80
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_0044ACFF	2_2_0044ACFF
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_0042CE51	2_2_0042CE51
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_00434E0B	2_2_00434E0B
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_00406EE0	2_2_00406EE0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_00420F30	2_2_00420F30
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_00405057	2_2_00405057
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_0042F010	2_2_0042F010
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_004070E0	2_2_004070E0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_004391F6	2_2_004391F6
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_00435240	2_2_00435240
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_004C9343	2_2_004C9343
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_00405447	2_2_00405447
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_00405457	2_2_00405457
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_00449506	2_2_00449506
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_0044B5B1	2_2_0044B5B1
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_00435675	2_2_00435675
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_00409686	2_2_00409686
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_0040F730	2_2_0040F730
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_0044D7A1	2_2_0044D7A1
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_00481920	2_2_00481920
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_0044D9DC	2_2_0044D9DC
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_00449A71	2_2_00449A71
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_00443B40	2_2_00443B40
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_00409CF9	2_2_00409CF9
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_0040DD40	2_2_0040DD40
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_00427D6C	2_2_00427D6C
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_0040BDC0	2_2_0040BDC0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_00409DFA	2_2_00409DFA
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_00409F76	2_2_00409F76
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_0046BFE0	2_2_0046BFE0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_00449FE3	2_2_00449FE3
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_0040D261	5_2_0040D261
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_0040B88F	5_2_0040B88F
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_0040C4BC	5_2_0040C4BC
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_00408504	5_2_00408504
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_0040B33E	5_2_0040B33E
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_023E7220	5_2_023E7220
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_024622C0	5_2_024622C0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_0242E37C	5_2_0242E37C
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_023E7393	5_2_023E7393
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_023FF030	5_2_023FF030
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_023EA026	5_2_023EA026
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_023EB000	5_2_023EB000
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_023EB0B0	5_2_023EB0B0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_023E30F0	5_2_023E30F0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_023E70E0	5_2_023E70E0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_023F00D0	5_2_023F00D0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_0242E141	5_2_0242E141
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_023E9120	5_2_023E9120
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_0240D1A4	5_2_0240D1A4
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_023EA699	5_2_023EA699
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_0242B69F	5_2_0242B69F
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_023EE6E0	5_2_023EE6E0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_023EC760	5_2_023EC760
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_023EA79A	5_2_023EA79A
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_0240D7F1	5_2_0240D7F1
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_023E3520	5_2_023E3520
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_023E7520	5_2_023E7520
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_023ECA10	5_2_023ECA10
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_023E7A80	5_2_023E7A80
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_023F0B00	5_2_023F0B00
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_023E2B60	5_2_023E2B60
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_023EDBE0	5_2_023EDBE0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_024018D0	5_2_024018D0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_023E7880	5_2_023E7880
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_023FA930	5_2_023FA930
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_023EA916	5_2_023EA916
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_023E59F7	5_2_023E59F7
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_0240E9A3	5_2_0240E9A3
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_023E89D0	5_2_023E89D0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_0240F9B0	5_2_0240F9B0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_023E8E60	5_2_023E8E60
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_02414E9F	5_2_02414E9F
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_02422D1E	5_2_02422D1E
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_023E5DF7	5_2_023E5DF7
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_023E5DE7	5_2_023E5DE7
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_02397220	6_2_02397220
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_024122C0	6_2_024122C0
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_023DE37C	6_2_023DE37C
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_02397393	6_2_02397393
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_023AF030	6_2_023AF030
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_0239A026	6_2_0239A026
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_0239B000	6_2_0239B000
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_0239B0B0	6_2_0239B0B0
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_023930F0	6_2_023930F0
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_023970E0	6_2_023970E0
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_023A00D0	6_2_023A00D0
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_02399120	6_2_02399120
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_023DE141	6_2_023DE141
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_023BD1A4	6_2_023BD1A4
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_0239A699	6_2_0239A699
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_023DB69F	6_2_023DB69F
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_0239E6E0	6_2_0239E6E0
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_0239C760	6_2_0239C760
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_0239A79A	6_2_0239A79A
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_023BD7F1	6_2_023BD7F1
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_02393520	6_2_02393520
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_02397520	6_2_02397520
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_0239CA10	6_2_0239CA10
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_02397A80	6_2_02397A80
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_023A0B00	6_2_023A0B00
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_02392B60	6_2_02392B60
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_0239DBE0	6_2_0239DBE0
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_02397880	6_2_02397880
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_023B18D0	6_2_023B18D0
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_023AA930	6_2_023AA930
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_0239A916	6_2_0239A916
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_023BF9B0	6_2_023BF9B0
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_023BE9A3	6_2_023BE9A3
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_023959F7	6_2_023959F7
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_023989D0	6_2_023989D0
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_02398E60	6_2_02398E60
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_023C4E9F	6_2_023C4E9F
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_023D2D1E	6_2_023D2D1E
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_02395DF7	6_2_02395DF7
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_02395DE7	6_2_02395DE7
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0042E003	12_2_0042E003
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0041E690	12_2_0041E690
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0040F730	12_2_0040F730
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_00481920	12_2_00481920
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_00419F90	12_2_00419F90
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050D050	12_2_0050D050
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_00405057	12_2_00405057
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0040C070	12_2_0040C070
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0042F010	12_2_0042F010
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050D008	12_2_0050D008
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_00408030	12_2_00408030
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050D028	12_2_0050D028
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_004070E0	12_2_004070E0
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050D090	12_2_0050D090
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050D0A8	12_2_0050D0A8
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_00410160	12_2_00410160
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_004C8113	12_2_004C8113
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_004021C0	12_2_004021C0
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0040D240	12_2_0040D240
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_004C9343	12_2_004C9343
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0044237E	12_2_0044237E
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_00405447	12_2_00405447
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_00405457	12_2_00405457
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_004084C0	12_2_004084C0
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050C4E0	12_2_0050C4E0
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_004344FF	12_2_004344FF
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_00449506	12_2_00449506
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0043E5A3	12_2_0043E5A3
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0044B5B1	12_2_0044B5B1
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0040A660	12_2_0040A660
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_00409686	12_2_00409686
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_00406740	12_2_00406740
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_00402750	12_2_00402750
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0040A710	12_2_0040A710
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_00408780	12_2_00408780
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0044D7A1	12_2_0044D7A1
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0042C804	12_2_0042C804
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_00406880	12_2_00406880
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050C960	12_2_0050C960
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050C928	12_2_0050C928
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0044D9DC	12_2_0044D9DC
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_004069F3	12_2_004069F3
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050C988	12_2_0050C988
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050C9A8	12_2_0050C9A8
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_00449A71	12_2_00449A71
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_004E1AB0	12_2_004E1AB0
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_00443B40	12_2_00443B40
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050CB78	12_2_0050CB78
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_00402B80	12_2_00402B80
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_00406B80	12_2_00406B80
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_00409CF9	12_2_00409CF9
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0044ACFF	12_2_0044ACFF
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0040DD40	12_2_0040DD40
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_00427D6C	12_2_00427D6C
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050CD60	12_2_0050CD60
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0040BDC0	12_2_0040BDC0
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050CDF0	12_2_0050CDF0
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_00409DFA	12_2_00409DFA
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050CE58	12_2_0050CE58
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0042CE51	12_2_0042CE51
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_00406EE0	12_2_00406EE0
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_00409F76	12_2_00409F76
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_00420F30	12_2_00420F30
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050CF28	12_2_0050CF28
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050CFC0	12_2_0050CFC0
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_00449FE3	12_2_00449FE3
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050CF90	12_2_0050CF90

Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: String function: 00428C81 appears 37 times
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: String function: 023B8EC0 appears 57 times
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: String function: 023C0160 appears 50 times
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: String function: 004547A0 appears 33 times
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: String function: 0042F7C0 appears 75 times
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: String function: 0044F23E appears 55 times
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: String function: 00428520 appears 67 times
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: String function: 00454E50 appears 36 times
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: String function: 00428C81 appears 42 times
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: String function: 02410160 appears 50 times
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: String function: 004547A0 appears 75 times
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: String function: 02390160 appears 50 times
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: String function: 0042F7C0 appears 99 times
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: String function: 0044F23E appears 53 times
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: String function: 00428520 appears 77 times
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: String function: 02408EC0 appears 57 times
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: String function: 00454E50 appears 42 times
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: String function: 02388EC0 appears 57 times

Source: 66d5df681876c_file010924.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 33.2.66d5df681876c_file010924.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 33.2.66d5df681876c_file010924.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 2.2.66d5df681876c_file010924.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 2.2.66d5df681876c_file010924.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 29.2.66d5df681876c_file010924.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 29.2.66d5df681876c_file010924.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 20.2.66d5df681876c_file010924.exe.23615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 20.2.66d5df681876c_file010924.exe.23615a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0.2.66d5df681876c_file010924.exe.23615a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0.2.66d5df681876c_file010924.exe.23615a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 12.2.66d5df681876c_file010924.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.2.66d5df681876c_file010924.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 25.2.66d5df681876c_file010924.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 25.2.66d5df681876c_file010924.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 28.2.66d5df681876c_file010924.exe.23215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 28.2.66d5df681876c_file010924.exe.23215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 20.2.66d5df681876c_file010924.exe.23615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 20.2.66d5df681876c_file010924.exe.23615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.2.66d5df681876c_file010924.exe.23915a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.2.66d5df681876c_file010924.exe.23915a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.2.66d5df681876c_file010924.exe.23915a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.2.66d5df681876c_file010924.exe.23915a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 21.2.66d5df681876c_file010924.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 21.2.66d5df681876c_file010924.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 12.2.66d5df681876c_file010924.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.2.66d5df681876c_file010924.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 2.2.66d5df681876c_file010924.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 2.2.66d5df681876c_file010924.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 29.2.66d5df681876c_file010924.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 29.2.66d5df681876c_file010924.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 32.2.66d5df681876c_file010924.exe.23d15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 32.2.66d5df681876c_file010924.exe.23d15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 25.2.66d5df681876c_file010924.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 25.2.66d5df681876c_file010924.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 28.2.66d5df681876c_file010924.exe.23215a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 28.2.66d5df681876c_file010924.exe.23215a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 24.2.66d5df681876c_file010924.exe.23815a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 24.2.66d5df681876c_file010924.exe.23815a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.2.66d5df681876c_file010924.exe.23e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.2.66d5df681876c_file010924.exe.23e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 32.2.66d5df681876c_file010924.exe.23d15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 32.2.66d5df681876c_file010924.exe.23d15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 33.2.66d5df681876c_file010924.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 33.2.66d5df681876c_file010924.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.2.66d5df681876c_file010924.exe.23e15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.2.66d5df681876c_file010924.exe.23e15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0.2.66d5df681876c_file010924.exe.23615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0.2.66d5df681876c_file010924.exe.23615a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 24.2.66d5df681876c_file010924.exe.23815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 24.2.66d5df681876c_file010924.exe.23815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 21.2.66d5df681876c_file010924.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 21.2.66d5df681876c_file010924.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000020.00000002.2444319207.0000000002332000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001C.00000002.1624704973.000000000228E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000018.00000002.1506583704.0000000002380000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000020.00000002.2444379499.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000006.00000002.1282127310.00000000022FE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001C.00000002.1624809590.0000000002320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000019.00000002.1522339744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000019.00000002.1522339744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000000.00000002.1232942398.00000000022C9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001D.00000002.1635910279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000001D.00000002.1635910279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000014.00000002.1380517656.0000000002181000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000021.00000002.2454668093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000021.00000002.2454668093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000005.00000002.1261436866.00000000023E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000005.00000002.1261344737.000000000233F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1232991821.0000000002360000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000006.00000002.1282193755.0000000002390000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000002.00000002.1252295528.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000002.00000002.1252295528.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000018.00000002.1506412476.00000000022EA000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000C.00000002.2488460103.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000C.00000002.2488460103.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000015.00000002.1393524836.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000015.00000002.1393524836.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000014.00000002.1380613748.0000000002360000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 66d5df681876c_file010924.exe PID: 6228, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 66d5df681876c_file010924.exe PID: 6476, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 66d5df681876c_file010924.exe PID: 1512, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 66d5df681876c_file010924.exe PID: 4244, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 66d5df681876c_file010924.exe PID: 1424, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 66d5df681876c_file010924.exe PID: 7864, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23

Source: 66d5df681876c_file010924.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 66d5df681876c_file010924.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.rans.spre.troj.spyw.evad.winEXE@23/1373@4/2

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

Code function: 2_2_00411900 GetLastError,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,_memset,lstrcpynW,MessageBoxW,LocalFree,LocalFree,LocalFree,

2_2_00411900

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

Code function: 0_2_00403900 GetCharWidthFloatA,GetCurrentProcess,SetLastError,GetCurrentProcess,GetCharWidthFloatA,GetBitmapBits,GetCharWidth32A,GetMenuStringA,LoadMenuW,CreateDCW,CreateFileMappingW,EnumResourceNamesA,InterlockedExchangeAdd,GlobalAlloc,VirtualProtect,LoadMenuW,CharUpperW,LoadMenuW,CharUpperW,GetTickCount,GetDiskFreeSpaceExA,SetConsoleCP,GetDiskFreeSpaceExA,SetConsoleCP,LoadLibraryW,PeekConsoleInputA,WaitForDebugEvent,LCMapStringW,SetEnvironmentVariableW,LCMapStringW,SetEnvironmentVariableW,OpenEventA,SetLastError,GetFileAttributesA,GetShortPathNameW,GlobalWire,GetFileAttributesA,GetShortPathNameW,GlobalWire,GetThreadPriorityBoost,SetDefaultCommConfigW,GetSystemWindowsDirectoryA,InterlockedCompareExchange,LoadLibraryA,

0_2_00403900

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

Code function: 0_2_022C97C6 CreateToolhelp32Snapshot,Module32First,

0_2_022C97C6

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

Code function: 2_2_0040D240 CoInitialize,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,CoUninitialize,CoUninitialize,__time64,__localtime64,_wcsftime,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,swprintf,CoUninitialize,CoUninitialize,

2_2_0040D240

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\geo[1].json

Jump to behavior

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

Mutant created: \Sessions\1\BaseNamedObjects\{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: jJ,S	0_2_00403BF0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: \|6A(	0_2_00403BF0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: <*yL	0_2_00403BF0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: augY	0_2_00403BF0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: hr_3	0_2_00403BF0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: 6._;	0_2_00403BF0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: Hk<	0_2_00403BF0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: @9L/	0_2_00403BF0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: L+U5	0_2_00403BF0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: CS?	0_2_00403BF0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: :6Y2	0_2_00403BF0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: s.Y*	0_2_00403BF0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: ,Sf	0_2_00403BF0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: `o@	0_2_00406EB0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: --Admin	2_2_00419F90
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: IsAutoStart	2_2_00419F90
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: IsTask	2_2_00419F90
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: --ForNetRes	2_2_00419F90
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: IsAutoStart	2_2_00419F90
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: IsTask	2_2_00419F90
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: --Task	2_2_00419F90
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: --AutoStart	2_2_00419F90
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: --Service	2_2_00419F90
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: X1P	2_2_00419F90
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: --Admin	2_2_00419F90
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: runas	2_2_00419F90
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: x2Q	2_2_00419F90
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: x*P	2_2_00419F90
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: C:\Windows\	2_2_00419F90
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: D:\Windows\	2_2_00419F90
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: 7P	2_2_00419F90
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: %username%	2_2_00419F90
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: F:\	2_2_00419F90
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: jJ,S	5_2_00403BF0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: \|6A(	5_2_00403BF0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: <*yL	5_2_00403BF0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: augY	5_2_00403BF0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: hr_3	5_2_00403BF0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: 6._;	5_2_00403BF0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: Hk<	5_2_00403BF0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: @9L/	5_2_00403BF0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: L+U5	5_2_00403BF0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: CS?	5_2_00403BF0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: :6Y2	5_2_00403BF0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: s.Y*	5_2_00403BF0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: ,Sf	5_2_00403BF0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Command line argument: `o@	5_2_00406EB0
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Command line argument: --Admin	12_2_00419F90
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Command line argument: IsAutoStart	12_2_00419F90
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Command line argument: IsTask	12_2_00419F90
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Command line argument: --ForNetRes	12_2_00419F90
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Command line argument: IsAutoStart	12_2_00419F90
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Command line argument: IsTask	12_2_00419F90
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Command line argument: --Task	12_2_00419F90
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Command line argument: --AutoStart	12_2_00419F90
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Command line argument: --Service	12_2_00419F90
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Command line argument: X1P	12_2_00419F90
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Command line argument: --Admin	12_2_00419F90
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Command line argument: runas	12_2_00419F90
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Command line argument: x2Q	12_2_00419F90
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Command line argument: x*P	12_2_00419F90
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Command line argument: C:\Windows\	12_2_00419F90
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Command line argument: D:\Windows\	12_2_00419F90
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Command line argument: 7P	12_2_00419F90
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Command line argument: %username%	12_2_00419F90
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Command line argument: F:\	12_2_00419F90

Source: 66d5df681876c_file010924.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 66d5df681876c_file010924.exe

ReversingLabs: Detection: 71%

Source: 66d5df681876c_file010924.exe	String found in binary or memory: set-addPolicy
Source: 66d5df681876c_file010924.exe	String found in binary or memory: id-cmc-addExtensions
Source: 66d5df681876c_file010924.exe	String found in binary or memory: set-addPolicy
Source: 66d5df681876c_file010924.exe	String found in binary or memory: id-cmc-addExtensions
Source: 66d5df681876c_file010924.exe	String found in binary or memory: set-addPolicy
Source: 66d5df681876c_file010924.exe	String found in binary or memory: id-cmc-addExtensions
Source: 66d5df681876c_file010924.exe	String found in binary or memory: set-addPolicy
Source: 66d5df681876c_file010924.exe	String found in binary or memory: id-cmc-addExtensions
Source: 66d5df681876c_file010924.exe	String found in binary or memory: id-cmc-addExtensions

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

File read: C:\Users\user\Desktop\66d5df681876c_file010924.exe

Jump to behavior

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: browcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: browcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Section loaded: ncryptsslp.dll

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 66d5df681876c_file010924.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\che\p source: 66d5df681876c_file010924.exe, 00000007.00000003.1874024202.00000000035B6000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1873342035.0000000003596000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1862419723.000000000358D000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1862505786.0000000003598000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1874976893.00000000035C6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\e\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1926069584.000000000386F000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1873929708.0000000003857000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1927184545.0000000003876000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1898829486.000000000383F000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1874849344.000000000385E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\Data\P source: 66d5df681876c_file010924.exe, 00000007.00000003.1449642704.00000000034F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\e\\oC source: 66d5df681876c_file010924.exe, 00000007.00000003.1419014721.00000000006AD000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1419063280.00000000006B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\*8Ym9W source: 66d5df681876c_file010924.exe, 00000007.00000003.1874172143.00000000034AD000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1876173870.00000000034C4000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1841010847.00000000034C1000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1863595092.00000000034B3000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1857497513.00000000034C3000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1896115774.00000000034A1000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1897648882.00000000034C6000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1781668191.00000000034BD000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1940486710.00000000034C0000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1896183215.00000000034C3000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1925928920.00000000034B5000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1840831198.00000000034A1000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1927479762.00000000034BC000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1856785304.00000000034A9000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1862923885.00000000034AC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\\* source: 66d5df681876c_file010924.exe, 00000007.00000003.1407550736.0000000003018000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\AC\D@y source: 66d5df681876c_file010924.exe, 00000007.00000003.1939452087.0000000003E58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1923844523.0000000003DE8000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1939452087.0000000003DE8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1503154342.0000000003586000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1503857906.0000000002FED000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1781457345.0000000003540000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1781705167.0000000003596000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1646227393.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1449688125.000000000358E000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1503665626.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1449273396.0000000003560000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1781558146.0000000003578000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1644137786.000000000357F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1781606614.00000000034CE000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1841010847.00000000034C1000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1644137786.000000000357F000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1840831198.00000000034A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1841840045.00000000038DF000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1862345075.000000000392F000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1862065132.00000000038AE000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1841612895.00000000038B7000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1855268527.00000000038AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\s\X- source: 66d5df681876c_file010924.exe, 00000007.00000003.1841566342.000000000355A000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1842024201.000000000355B000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1840659359.0000000003540000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1842496402.0000000003581000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1841761179.000000000355B000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1840136245.0000000003515000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1842318558.000000000357F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1782551785.00000000034A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1842736440.000000000383F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1921818522.0000000003CC7000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1897447370.0000000003BC1000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1928412478.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1896722726.0000000003C68000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1898391125.0000000003CB8000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1897980412.0000000003C87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*^R source: 66d5df681876c_file010924.exe, 00000007.00000003.1644137786.000000000357F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1782075407.00000000035DA000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1841048090.0000000003630000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1782415161.0000000003614000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1782250781.00000000035DB000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1781335365.00000000035BE000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1782358386.0000000003608000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1646227393.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1782627575.000000000362C000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1840928675.0000000003618000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1842632171.0000000003633000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1840031953.00000000035DE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: 66d5df681876c_file010924.exe, 66d5df681876c_file010924.exe, 0000000C.00000002.2488460103.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000014.00000002.1380613748.0000000002360000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\Etx source: 66d5df681876c_file010924.exe, 00000007.00000003.1897447370.0000000003BC1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\.q source: 66d5df681876c_file010924.exe, 00000007.00000003.1644137786.000000000357F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\R\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1644137786.000000000357F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 66d5df681876c_file010924.exe, 00000007.00000003.1354753858.0000000003440000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdesk\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1449434066.00000000034FF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1449688125.000000000358E000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1449273396.0000000003560000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: 66d5df681876c_file010924.exe, 00000000.00000002.1232991821.0000000002360000.00000040.00001000.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000002.00000002.1252295528.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000005.00000002.1261436866.00000000023E0000.00000040.00001000.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000006.00000002.1282193755.0000000002390000.00000040.00001000.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 0000000C.00000002.2488460103.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000014.00000002.1380613748.0000000002360000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\06\n [<k source: 66d5df681876c_file010924.exe, 00000007.00000003.1863411961.0000000003005000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\9 source: 66d5df681876c_file010924.exe, 00000007.00000003.1939452087.0000000003E58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\` source: 66d5df681876c_file010924.exe, 00000007.00000003.1856829390.0000000003638000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1875087794.0000000003640000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1841048090.0000000003630000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1873658789.00000000035CE000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1873342035.0000000003596000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1873863860.00000000035DE000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1856302765.00000000035E6000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1856700609.0000000003618000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1840928675.0000000003618000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1842632171.0000000003633000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1874583286.000000000361A000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1840031953.00000000035DE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1926069584.000000000386F000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1926339843.0000000003AB6000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1927184545.0000000003876000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1927721951.00000000038AF000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1940441236.000000000389F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ate\d source: 66d5df681876c_file010924.exe, 00000007.00000003.1941224453.00000000035D6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1503426204.0000000003016000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1414687237.0000000003052000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1449970090.0000000003047000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1503544842.0000000003047000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1414539784.0000000003039000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1414572819.000000000304A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1841678052.00000000037B1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Uz source: 66d5df681876c_file010924.exe, 00000007.00000003.1895097511.00000000038AE000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1927368986.000000000392F000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1925557469.00000000038E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\ules\; source: 66d5df681876c_file010924.exe, 00000007.00000003.1450042666.0000000003540000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1449434066.00000000034FF000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1781457345.0000000003540000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1503598195.0000000003540000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1645701345.0000000003543000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1503233619.000000000350C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\o source: 66d5df681876c_file010924.exe, 00000007.00000003.1926069584.000000000386F000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1873929708.0000000003857000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1927184545.0000000003876000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1898829486.000000000383F000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1874849344.000000000385E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\:\UML source: 66d5df681876c_file010924.exe, 00000007.00000003.1841840045.00000000038DF000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1862345075.000000000392F000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1862065132.00000000038AE000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1841612895.00000000038B7000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1855268527.00000000038AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\<9 source: 66d5df681876c_file010924.exe, 00000007.00000003.1863411961.0000000003005000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1940798434.00000000035F6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\:\Users8 source: 66d5df681876c_file010924.exe, 00000007.00000003.1920725014.00000000039FD000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1920436665.00000000039A8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\ing source: 66d5df681876c_file010924.exe, 00000007.00000003.1414632632.0000000003014000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1503426204.0000000003016000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1414598195.0000000003009000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1503810721.0000000003027000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1895097511.00000000038AE000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1927368986.000000000392F000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1925557469.00000000038E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\Data\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1856221697.00000000034EA000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1856521488.0000000003519000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1862785834.000000000352D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1407734481.0000000002FEF000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1407618047.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1414663073.0000000002FF1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1941309860.00000000037B1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\f source: 66d5df681876c_file010924.exe, 00000007.00000003.1503888368.0000000002FD5000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1781997057.0000000002FDA000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1646227393.0000000002FD5000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1781792022.0000000002FD5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1840619727.00000000035B6000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1781457345.0000000003540000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1781705167.0000000003596000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1781997057.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1840136245.0000000003515000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1781558146.0000000003578000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1782471207.0000000003010000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1781792022.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\40m source: 66d5df681876c_file010924.exe, 00000007.00000003.1873929708.0000000003857000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1874849344.000000000385E000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1862690814.000000000383F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1926339843.0000000003AB6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\.watzz/ source: 66d5df681876c_file010924.exe, 00000007.00000003.1873929708.0000000003857000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1874849344.000000000385E000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1862690814.000000000383F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\X source: 66d5df681876c_file010924.exe, 00000007.00000003.1842736440.000000000383F000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1898829486.000000000383F000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1862690814.000000000383F000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1941365593.000000000383F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\n\. source: 66d5df681876c_file010924.exe, 00000007.00000003.1926069584.000000000386F000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1927184545.0000000003876000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1927721951.00000000038AF000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1940441236.000000000389F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\= source: 66d5df681876c_file010924.exe, 00000007.00000003.1876772587.0000000003BB1000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1897447370.0000000003BC1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\) source: 66d5df681876c_file010924.exe, 00000007.00000003.1449273396.0000000003560000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1876772587.0000000003BB1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1926173964.0000000003525000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1925928920.00000000034F9000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1921818522.0000000003BD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\s\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1856221697.00000000034EA000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1856521488.0000000003519000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1862785834.000000000352D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\G[- source: 66d5df681876c_file010924.exe, 00000007.00000003.1921818522.0000000003CC7000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1928412478.0000000003D38000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1896722726.0000000003C68000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1898391125.0000000003CB8000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1897980412.0000000003C87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\] source: 66d5df681876c_file010924.exe, 00000007.00000003.1862736852.00000000038D7000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1841840045.00000000038DF000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1862065132.00000000038AE000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1841612895.00000000038B7000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1855268527.00000000038AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\s\> source: 66d5df681876c_file010924.exe, 00000007.00000003.1874024202.00000000035B6000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1873342035.0000000003596000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1862419723.000000000358D000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1862505786.0000000003598000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1874976893.00000000035C6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\he\ source: 66d5df681876c_file010924.exe, 00000007.00000003.1781606614.00000000034CE000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1840342955.00000000034D4000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Unpacked PE file: 2.2.66d5df681876c_file010924.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Unpacked PE file: 12.2.66d5df681876c_file010924.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Unpacked PE file: 21.2.66d5df681876c_file010924.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Unpacked PE file: 25.2.66d5df681876c_file010924.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Unpacked PE file: 29.2.66d5df681876c_file010924.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Unpacked PE file: 33.2.66d5df681876c_file010924.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Unpacked PE file: 2.2.66d5df681876c_file010924.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Unpacked PE file: 12.2.66d5df681876c_file010924.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Unpacked PE file: 21.2.66d5df681876c_file010924.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Unpacked PE file: 25.2.66d5df681876c_file010924.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Unpacked PE file: 29.2.66d5df681876c_file010924.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Unpacked PE file: 33.2.66d5df681876c_file010924.exe.400000.0.unpack

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

Code function: 0_2_00408E64 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00408E64

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_00407005 push ecx; ret	0_2_00407018
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_022CC0AF push ecx; retf	0_2_022CC0B2
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_02388F05 push ecx; ret	0_2_02388F18
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_00428565 push ecx; ret	2_2_00428578
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_00407005 push ecx; ret	5_2_00407018
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_023420AF push ecx; retf	5_2_023420B2
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_02408F05 push ecx; ret	5_2_02408F18
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_023010AF push ecx; retf	6_2_023010B2
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_023B8F05 push ecx; ret	6_2_023B8F18
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050D050 push eax; retn 004Dh	12_2_0050D6B5
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050D008 push eax; retn 004Dh	12_2_0050D6B5
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050D028 push eax; retn 004Dh	12_2_0050D6B5
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050D090 push eax; retn 004Dh	12_2_0050D6B5
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050D0A8 push eax; retn 004Dh	12_2_0050D6B5
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050D318 push eax; retn 004Dh	12_2_0050D6B5
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050C4E0 push eax; retn 004Dh	12_2_0050D6B5
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050D550 push eax; retn 004Dh	12_2_0050D6B5
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_00428565 push ecx; ret	12_2_00428578
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050D698 push eax; retn 004Dh	12_2_0050D6B5
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050C960 push eax; retn 004Dh	12_2_0050D6B5
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050C928 push eax; retn 004Dh	12_2_0050D6B5
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050C988 push eax; retn 004Dh	12_2_0050D6B5
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050C9A8 push eax; retn 004Dh	12_2_0050D6B5
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050CB78 push eax; retn 004Dh	12_2_0050D6B5
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050CD60 push eax; retn 004Dh	12_2_0050D6B5
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050CDF0 push eax; retn 004Dh	12_2_0050D6B5
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050CE58 push eax; retn 004Dh	12_2_0050D6B5
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050CF28 push eax; retn 004Dh	12_2_0050D6B5
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050CFC0 push eax; retn 004Dh	12_2_0050D6B5
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0050CF90 push eax; retn 004Dh	12_2_0050D6B5

Source: 66d5df681876c_file010924.exe	Static PE information: section name: .text entropy: 7.924714226500883
Source: 66d5df681876c_file010924.exe.2.dr	Static PE information: section name: .text entropy: 7.924714226500883

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	System file written: C:\Users\user\AppData\Local\Temp\chrome.exe			Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	System file written: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalState\ThirdPartyNotice.html			Jump to behavior

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

File created: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe

Jump to dropped file

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\_readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\$WinREAgent\_readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\$WinREAgent\Scratch\_readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File created: C:\Users\jones\_readme.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	File created: C:\_readme.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	File created: C:\Users\user\_readme.txt	Jump to behavior

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

Code function: 2_2_00481920 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,

2_2_00481920

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8" /deny *S-1-1-0:(OI)(CI)(DE,DC)

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

Code function: 0_2_022CA71C rdtsc

0_2_022CA71C

Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe

Code function: 12_2_00481920 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,GetTickCount,Heap32ListFirst,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,GetTickCount,Process32First,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,

12_2_00481920

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,		2_2_0040E670
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,		12_2_0040E670

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

Thread delayed: delay time: 1100000

Jump to behavior

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_2-45119

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe TID: 7788

Thread sleep time: -1100000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	2_2_00410160
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	2_2_0040F730
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	2_2_0040FB98
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	12_2_0040F730
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_00410160 Sleep,PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	12_2_00410160
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	12_2_0040FB98

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

0_2_00403626

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

Thread delayed: delay time: 1100000

Jump to behavior

Source: 66d5df681876c_file010924.exe, 00000002.00000003.1250134757.0000000000635000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000002.00000002.1252430363.0000000000635000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000002.00000003.1251377452.0000000000635000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWw
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1850189989.0000000003300000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: var fbpkgiid = fbpkgiid \|\| {}; fbpkgiid.page = '';;(function(BingAtWork) { if (typeof (bfbWsbTel) !== "undefined") { BingAtWork.WsbWebTelemetry.init({"cfg":{"e":true,"env":"PROD","t":"33d70a864599496b982a39f036f71122-2064703e-3a9d-4d90-8362-eec08dffe8e8-7176"},"ig":"751E9D17E4CD42EBAA6AE59A6ED5C22A","ConversationId":"5eff9dee-03ff-465e-bf2b-c48d3d202d68","LogicalId":"33366b5b-54ef-48bf-819d-677748eae9e3","tid":"651e6ab87a454702b15a8b0357a081d8","sid":"0017FC1997EE65330FCEEFB896C06426","uid":"","muid":"A92BA4E78D2946A0AFDA5029FA43D7A8","puid":null,"isMtr":false,"tn":null,"tnid":null,"msa":false,"mkt":"en-us","b":"edge","eref":"Ref A: 651e6ab87a454702b15a8b0357a081d8 Ref B: MWHEEEAP0024FD7 Ref C: 2023-10-05T07:50:16Z","vs":{"BAW10":"BFBLCLAZYCF","BAW11":"MSBSSVLMCF","BAW5":"MSBCUSTNONALL","BAW7":"BFBPROWSBINITT1","BAW9":"BCEPREC","CLIENT":"WINDOWS","COLUMN":"SINGLE","FEATURE.BFBCREFINER":"1","FEATURE.BFBLCLAZYCF":"1","FEATURE.BFBPROWSBINIT":"1","FEATURE.BFBPROWSBINITT1":"1","FEATURE.BFBWSBCM0921CF":"1","FEATURE.MSBCUSTNONALL":"1","FEATURE.MSBSSVLMCF":"1","FEATURE.MSNSBC2":"1","FEATURE.WSBREF-T":"1","MKT":"EN-US","MS":"0","NEWHEADER":"1","THEME":"THBRAND","UILANG":"EN"},"dev":"DESKTOP","os":"WINDOWS","osver":"11","dc":"CoreUX-Prod-MWHE01","canvas":"","sci":true,"isMidgardEnabled":true,"isHomepage":false,"snrVersion":"2023.10.04.39971431"}); } })(BingAtWork \|\| (BingAtWork = {}));;_w.rms.js({'A:rms:answers:BoxModel:Framework':'https:\/\/r.bing.com\/rb\/18\/jnc,nj\/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w'});;
Source: 66d5df681876c_file010924.exe, 00000015.00000002.1394638850.0000000000708000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx
Source: 66d5df681876c_file010924.exe, 00000002.00000002.1252430363.0000000000619000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1371578979.0000000003442000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1380295777.0000000003440000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 10/03/2023 13:09:52.535OFFICECL (0x2394)0x12d8Telemetry EventbiyhqMediumSendEvent {"EventName": "Office.System.SystemHealthMetadataDeviceConsolidated", "Flags": 33777031581908737, "InternalSequenceNumber": 11, "Time": "2023-10-03T12:09:52Z", "Rule": "120600.4", "AriaTenantToken": "cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521", "Contract": "Office.Legacy.Metadata", "Data.ProcTypeText": "x64", "Data.ProcessorCount": 2, "Data.NumProcShareSingleCore": 1, "Data.NumProcShareSingleCache": 1, "Data.NumProcPhysCores": 2, "Data.ProcSpeedMHz": 2000, "Data.IsLaptop": false, "Data.IsTablet": false, "Data.RamMB": 4096, "Data.PowerPlatformRole": 1, "Data.SysVolSizeMB": 50000, "Data.DeviceManufacturer": "VMWare, Inc.", "Data.DeviceModel": "VMware20,1", "Data.DigitizerInfo": 0, "Data.SusClientId": "097C77FB-5D5D-4868-860B-09F4E5B50A53", "Data.WindowsSqmMachineId": "92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A", "Data.ComputerSystemProductUuidHash": "rC2kkStHpWGLvfAgmQZRz4w5ixE=", "Data.DeviceProcessorModel": "Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz", "Data.HasSpectreFix": true, "Data.BootDiskType": "SSD"}
Source: 66d5df681876c_file010924.exe, 00000007.00000003.1371578979.0000000003442000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware20,1
Source: 66d5df681876c_file010924.exe, 00000002.00000003.1250134757.0000000000635000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000002.00000002.1252430363.00000000005D8000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000002.00000002.1252430363.0000000000635000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000002.00000003.1251377452.0000000000635000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1273669336.0000000000656000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 0000000C.00000002.2491283799.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 0000000C.00000002.2491283799.0000000000638000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000015.00000002.1394638850.0000000000796000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 66d5df681876c_file010924.exe, 0000000C.00000002.2491283799.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWxI

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

API call chain: ExitProcess graph end node

graph_2-45121

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

Code function: 0_2_022CA71C rdtsc

0_2_022CA71C

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

Code function: 0_2_00405CA9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00405CA9

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

Code function: 2_2_0042A57A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

2_2_0042A57A

Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe

12_2_00481920

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

0_2_00408E64

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_022C90A3 push dword ptr fs:[00000030h]	0_2_022C90A3
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_02360042 push dword ptr fs:[00000030h]	0_2_02360042
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_0233F0A3 push dword ptr fs:[00000030h]	5_2_0233F0A3
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_023E0042 push dword ptr fs:[00000030h]	5_2_023E0042
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_022FE0A3 push dword ptr fs:[00000030h]	6_2_022FE0A3
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 6_2_02390042 push dword ptr fs:[00000030h]	6_2_02390042

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

Code function: 2_2_004278D5 GetProcessHeap,

2_2_004278D5

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_00405CA9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00405CA9
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_004071F1 SetUnhandledExceptionFilter,	0_2_004071F1
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 0_2_00407D9E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00407D9E
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_004329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_004329EC
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 2_2_004329BB SetUnhandledExceptionFilter,	2_2_004329BB
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_00405CA9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00405CA9
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_004071F1 SetUnhandledExceptionFilter,	5_2_004071F1
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: 5_2_00407D9E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00407D9E
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_004329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_004329EC
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: 12_2_004329BB SetUnhandledExceptionFilter,	12_2_004329BB

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

Code function: 0_2_02360110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,

0_2_02360110

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Memory written: C:\Users\user\Desktop\66d5df681876c_file010924.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Memory written: C:\Users\user\Desktop\66d5df681876c_file010924.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Memory written: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Memory written: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Memory written: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Memory written: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Memory written: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

Code function: 2_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle,

2_2_00419F90

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Process created: C:\Users\user\Desktop\66d5df681876c_file010924.exe "C:\Users\user\Desktop\66d5df681876c_file010924.exe"	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Process created: C:\Users\user\Desktop\66d5df681876c_file010924.exe "C:\Users\user\Desktop\66d5df681876c_file010924.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Process created: C:\Users\user\Desktop\66d5df681876c_file010924.exe "C:\Users\user\Desktop\66d5df681876c_file010924.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Process created: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe --Task	Jump to behavior
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Process created: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe "C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe" --AutoStart
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Process created: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe --Task
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Process created: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe "C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe" --AutoStart
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Process created: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe --Task

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

Code function: 0_2_023880F6 cpuid

0_2_023880F6

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: GetNumberFormatW,CreateJobObjectW,GetConsoleAliasExesW,EnumDateFormatsA,CreateNamedPipeA,GetProcessVersion,SetFileShortNameA,SetProcessShutdownParameters,GetCalendarInfoA,LoadLibraryW,GetModuleFileNameW,GetNumberFormatA,GetLogicalDriveStringsA,VerifyVersionInfoW,SetVolumeMountPointA,CreateHardLinkA,UnlockFile,SetCommState,GetTempPathA,_memset,CommConfigDialogW,CreateActCtxA,EnumCalendarInfoExA,GetLocaleInfoA,ReadConsoleInputW,SetVolumeMountPointA,GetConsoleAliasExesLengthW,CreateEventW,	0_2_00403626
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: GetNumberFormatW,CreateJobObjectW,GetConsoleAliasExesW,EnumDateFormatsA,CreateNamedPipeA,GetProcessVersion,SetFileShortNameA,SetProcessShutdownParameters,GetCalendarInfoA,LoadLibraryW,GetModuleFileNameW,GetNumberFormatA,GetLogicalDriveStringsA,VerifyVersionInfoW,SetVolumeMountPointA,CreateHardLinkA,UnlockFile,SetCommState,GetTempPathA,_memset,CommConfigDialogW,CreateActCtxA,EnumCalendarInfoExA,GetLocaleInfoA,ReadConsoleInputW,SetVolumeMountPointA,GetConsoleAliasExesLengthW,CreateEventW,	0_2_00403628
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: GetNumberFormatA,GetLogicalDriveStringsA,VerifyVersionInfoW,SetVolumeMountPointA,CreateHardLinkA,UnlockFile,SetCommState,GetTempPathA,_memset,CommConfigDialogW,CreateActCtxA,EnumCalendarInfoExA,GetLocaleInfoA,ReadConsoleInputW,SetVolumeMountPointA,GetConsoleAliasExesLengthW,CreateEventW,	0_2_00403708
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: GetNumberFormatA,SetVolumeMountPointA,GetNumberFormatW,CreateJobObjectW,GetConsoleAliasExesW,EnumDateFormatsA,CreateNamedPipeA,GetProcessVersion,SetFileShortNameA,SetProcessShutdownParameters,GetCalendarInfoA,LoadLibraryW,GetModuleFileNameW,GetNumberFormatA,GetLogicalDriveStringsA,VerifyVersionInfoW,SetVolumeMountPointA,CreateHardLinkA,UnlockFile,SetCommState,GetTempPathA,_memset,CommConfigDialogW,CreateActCtxA,EnumCalendarInfoExA,GetLocaleInfoA,ReadConsoleInputW,SetVolumeMountPointA,GetConsoleAliasExesLengthW,CreateEventW,	0_2_004035E0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_023A0AB6
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	0_2_0238C8B7
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	0_2_0239394D
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	0_2_023949EA
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_02393F87
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	2_2_0043404A
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	2_2_00438178
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	2_2_00440116
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_004382A2
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	2_2_0043834F
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	2_2_00438423
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: EnumSystemLocalesW,	2_2_004387C8
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: GetLocaleInfoW,	2_2_0043884E
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	2_2_00432B6D
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	2_2_00432FAD
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	2_2_004335E7
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,	2_2_00437BB3
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: EnumSystemLocalesW,	2_2_00437E27
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	2_2_00437E83
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	2_2_00437F00
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,	2_2_0042BF17
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	2_2_00437F83
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: GetNumberFormatW,CreateJobObjectW,GetConsoleAliasExesW,EnumDateFormatsA,CreateNamedPipeA,GetProcessVersion,SetFileShortNameA,SetProcessShutdownParameters,GetCalendarInfoA,LoadLibraryW,GetModuleFileNameW,GetNumberFormatA,GetLogicalDriveStringsA,VerifyVersionInfoW,SetVolumeMountPointA,CreateHardLinkA,UnlockFile,SetCommState,GetTempPathA,_memset,CommConfigDialogW,CreateActCtxA,EnumCalendarInfoExA,GetLocaleInfoA,ReadConsoleInputW,SetVolumeMountPointA,GetConsoleAliasExesLengthW,CreateEventW,	5_2_00403626
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: GetNumberFormatW,CreateJobObjectW,GetConsoleAliasExesW,EnumDateFormatsA,CreateNamedPipeA,GetProcessVersion,SetFileShortNameA,SetProcessShutdownParameters,GetCalendarInfoA,LoadLibraryW,GetModuleFileNameW,GetNumberFormatA,GetLogicalDriveStringsA,VerifyVersionInfoW,SetVolumeMountPointA,CreateHardLinkA,UnlockFile,SetCommState,GetTempPathA,_memset,CommConfigDialogW,CreateActCtxA,EnumCalendarInfoExA,GetLocaleInfoA,ReadConsoleInputW,SetVolumeMountPointA,GetConsoleAliasExesLengthW,CreateEventW,	5_2_00403628
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: GetNumberFormatA,GetLogicalDriveStringsA,VerifyVersionInfoW,SetVolumeMountPointA,CreateHardLinkA,UnlockFile,SetCommState,GetTempPathA,_memset,CommConfigDialogW,CreateActCtxA,EnumCalendarInfoExA,GetLocaleInfoA,ReadConsoleInputW,SetVolumeMountPointA,GetConsoleAliasExesLengthW,CreateEventW,	5_2_00403708
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: GetNumberFormatA,SetVolumeMountPointA,GetNumberFormatW,CreateJobObjectW,GetConsoleAliasExesW,EnumDateFormatsA,CreateNamedPipeA,GetProcessVersion,SetFileShortNameA,SetProcessShutdownParameters,GetCalendarInfoA,LoadLibraryW,GetModuleFileNameW,GetNumberFormatA,GetLogicalDriveStringsA,VerifyVersionInfoW,SetVolumeMountPointA,CreateHardLinkA,UnlockFile,SetCommState,GetTempPathA,_memset,CommConfigDialogW,CreateActCtxA,EnumCalendarInfoExA,GetLocaleInfoA,ReadConsoleInputW,SetVolumeMountPointA,GetConsoleAliasExesLengthW,CreateEventW,	5_2_004035E0
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	5_2_02420AB6
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	5_2_0240C8B7
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	5_2_0241394D
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	5_2_024149EA
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	5_2_02413F87
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	6_2_023D0AB6
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	6_2_023BC8B7
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	6_2_023C394D
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	6_2_023C49EA
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	6_2_023C3F87
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	12_2_0043404A
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	12_2_00438178
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	12_2_00440116
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	12_2_004382A2
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	12_2_0043834F
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	12_2_00438423
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	12_2_004335E7
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: EnumSystemLocalesW,	12_2_004387C8
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: GetLocaleInfoW,	12_2_0043884E
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	12_2_00432B6D
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,	12_2_00437BB3
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: EnumSystemLocalesW,	12_2_00437E27
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	12_2_00437E83
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	12_2_00437F00
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,	12_2_0042BF17
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	12_2_00437F83
Source: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	12_2_00432FAD

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

0_2_00403626

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

Code function: 0_2_0040790C GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0040790C

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

2_2_00419F90

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

Code function: 2_2_0042FE47 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

2_2_0042FE47

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

2_2_00419F90

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\shield-preference-experiments.json	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\SiteSecurityServiceState.txt	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\protections.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\targeting.snapshot.json	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\containers.json	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\times.json	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\AlternateServices.txt	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\parent.lock	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\handlers.json	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionCheckpoints.json	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\webappsstore.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\xulstore.json	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\permissions.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\pkcs11.txt	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\webappsstore.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\y572q81e.default\times.json	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\extension-preferences.json	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\search.json.mozlz4	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\webappsstore.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\66d5df681876c_file010924.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqlite	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 System Time Discovery	1 Taint Shared Content	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	2 Data Encrypted for Impact
Credentials	Domains	Default Accounts	3 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	3 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Services File Permissions Weakness	212 Process Injection	22 Software Packing	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	25 System Information Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Services File Permissions Weakness	1 Masquerading	LSA Secrets	1 Query Registry	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Virtualization/Sandbox Evasion	Cached Domain Credentials	151 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	212 Process Injection	DCSync	21 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Services File Permissions Weakness	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
66d5df681876c_file010924.exe	71%	ReversingLabs	Win32.Trojan.GCleaner
66d5df681876c_file010924.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe	71%	ReversingLabs	Win32.Trojan.GCleaner

Source	Detection	Scanner	Label
https://www.avito.ru/	0%	URL Reputation	safe
https://www.ctrip.com/	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://www.reddit.com/	0%	URL Reputation	safe
http://www.reddit.com/	0%	URL Reputation	safe
https://openjsf.org/	0%	URL Reputation	safe
https://www.amazon.ca/	0%	URL Reputation	safe
https://www.ebay.co.uk/	0%	URL Reputation	safe
https://www.ebay.de/	0%	URL Reputation	safe
https://mail.google.com/mail/?usp=installed_webapp	0%	Avira URL Cloud	safe
https://www.youtube.com/:	0%	Avira URL Cloud	safe
https://www.msn.com/news?OCID=WSB_QS_NE&PC=wsbmsnqs	0%	Avira URL Cloud	safe
https://docs.google.com/document/J	0%	Avira URL Cloud	safe
https://docs.google.com/document/:	0%	Avira URL Cloud	safe
https://assets.activity.windows.com/v1/assets	0%	Avira URL Cloud	safe
https://artifacts.dev.azure.com/office/_apis/symbol/symsrv/privacy-sdx.win32.bundle.js.map/e3b0c4429	0%	Avira URL Cloud	safe
https://mail.google.com/mail/:	0%	Avira URL Cloud	safe
https://substrate.office365.us/api/v2.0/Users(	0%	Avira URL Cloud	safe
https://allegro.pl/	0%	URL Reputation	safe
https://substrate.office365.us/imageB2/v1.0/users/	0%	Avira URL Cloud	safe
http://underscorejs.org/LICENSE	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://outlook.office.com/M365.Access	0%	Avira URL Cloud	safe
https://wetransfer.com/downloads(	0%	Avira URL Cloud	safe
https://drive.google.com/?lfhs=2	0%	Avira URL Cloud	safe
http://cajgtus.com/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200	100%	Avira URL Cloud	malware
https://api.2ip.ua/q	0%	Avira URL Cloud	safe
https://substrate.office.com/api/v2.0/Users(	0%	Avira URL Cloud	safe
https://www.youtube.com/s/notifications/manifest/cr_install.html	0%	Avira URL Cloud	safe
https://mail.google.com/mail/J	0%	Avira URL Cloud	safe
https://www.youtube.com/?feature=ytca	0%	Avira URL Cloud	safe
https://www.youtube.com/J	0%	Avira URL Cloud	safe
http://www.openssl.org/support/faq.html	0%	URL Reputation	safe
https://www.ifeng.com/	0%	URL Reputation	safe
http://jedwatson.github.io/classnames	0%	URL Reputation	safe
https://www.amazon.com/	0%	Avira URL Cloud	safe
http://www.nytimes.com/	0%	URL Reputation	safe
https://api.2ip.ua/geo.jsonQ	0%	Avira URL Cloud	safe
https://www.msn.com/finance?OCID=WSB_TL_FN&PC=wsbmsnqs	0%	Avira URL Cloud	safe
https://api.2ip.ua/geo.jsonj	0%	Avira URL Cloud	safe
http://cajgtus.com/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200GtY	100%	Avira URL Cloud	malware
https://api.2ip.ua/geo.jsoni	0%	Avira URL Cloud	safe
https://lodash.com/	0%	URL Reputation	safe
https://www.bbc.co.uk/	0%	Avira URL Cloud	safe
https://api.2ip.ua/;	0%	Avira URL Cloud	safe
https://reactjs.org/docs/error-decoder.html?invariant=	0%	URL Reputation	safe
https://clients3.google.com/generate_204	0%	Avira URL Cloud	safe
https://www.youtube.com/	0%	Avira URL Cloud	safe
https://www.wykop.pl/	0%	URL Reputation	safe
https://www.olx.pl/	0%	URL Reputation	safe
https://www.amazon.fr/	0%	URL Reputation	safe
https://lodash.com/license	0%	URL Reputation	safe
https://fb.me/react-polyfills	0%	URL Reputation	safe
https://api.2ip.ua/geo.jsonHB	0%	Avira URL Cloud	safe
https://api.2ip.ua/geo.jsonI8=d8	0%	Avira URL Cloud	safe
http://www.youtube.com/	0%	Avira URL Cloud	safe
https://api.2ip.ua/geo.jsonPC	0%	Avira URL Cloud	safe
https://www.google.com/	0%	Avira URL Cloud	safe
https://api.2ip.ua/geo.jsonWi	0%	Avira URL Cloud	safe
https://api.2ip.ua/9	0%	Avira URL Cloud	safe
https://www.iqiyi.com/	0%	Avira URL Cloud	safe
https://github.com/react-native-community/react-native-netinfo	0%	Avira URL Cloud	safe
https://wetransfer.com/downloads/abe121434ad837dd5bdd038	0%	Avira URL Cloud	safe
https://mail.google.com/mail/installwebapp?usp=chrome_default	0%	Avira URL Cloud	safe
https://wetransfer.c	0%	Avira URL Cloud	safe
https://drive.google.com/drive/installwebapp?usp=chrome_default	0%	Avira URL Cloud	safe
https://docs.google.com/presentation/J	0%	Avira URL Cloud	safe
https://outlook.office.com/	0%	Avira URL Cloud	safe
https://docs.google.com/document/installwebapp?usp=chrome_default	0%	Avira URL Cloud	safe
http://www.amazon.com/	0%	Avira URL Cloud	safe
https://mths.be/fromcodepoint	0%	Avira URL Cloud	safe
http://www.twitter.com/	0%	Avira URL Cloud	safe
https://docs.google.com/presentation/:	0%	Avira URL Cloud	safe
https://docs.google.com/presentation/installwebapp?usp=chrome_default	0%	Avira URL Cloud	safe
https://www.msn.com/sports?OCID=WSB_TL_EL&PC=wsbmsnqs	0%	Avira URL Cloud	safe
https://github.com/jsstyles/css-vendor	0%	Avira URL Cloud	safe
https://docs.google.com/spreadsheets/J	0%	Avira URL Cloud	safe
http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error	0%	Avira URL Cloud	safe
https://docs.google.com/spreadsheets/?usp=installed_webapp	0%	Avira URL Cloud	safe
https://github.com/focus-trap/tabbable/blob/master/LICENSE	0%	Avira URL Cloud	safe
https://outlook.office.com/User.ReadWrite	0%	Avira URL Cloud	safe
https://substrate.office.com/imageB2/v1.0/users/	0%	Avira URL Cloud	safe
http://cajgtus.com/test1/get.phpj	100%	Avira URL Cloud	malware
https://api.2ip.ua/geo.jsonv	0%	Avira URL Cloud	safe
https://www.msn.com/weather?OCID=WSB_QS_WE&PC=wsbmsnqs	0%	Avira URL Cloud	safe
https://api.2ip.ua/geo.jsonp	0%	Avira URL Cloud	safe
https://docs.google.com/spreadsheets/:	0%	Avira URL Cloud	safe
https://wetransfer.com/downloads/abe121434ad837dd5bdd03878a14485820240531135509/34284d	0%	Avira URL Cloud	safe
https://wetransfer.com/downloads	0%	Avira URL Cloud	safe
https://drive.google.com/:	0%	Avira URL Cloud	safe
http://cajgtus.com/test1/get.php	100%	Avira URL Cloud	malware
https://api.2ip.ua/	0%	Avira URL Cloud	safe
https://www.amazon.co.uk/	0%	Avira URL Cloud	safe
https://twitter.com/	0%	Avira URL Cloud	safe
https://drive.google.com/J	0%	Avira URL Cloud	safe
https://api.2ip.ua/geo.json	0%	Avira URL Cloud	safe
https://api.2ip.ua/geo.jsonRx	0%	Avira URL Cloud	safe
https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default	0%	Avira URL Cloud	safe
https://www.google.com/complete/	0%	Avira URL Cloud	safe
https://docs.google.com/presentation/?usp=installed_webapp	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cajgtus.com	190.220.21.28	true	true		unknown
api.2ip.ua	188.114.97.3	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://cajgtus.com/test1/get.php	true	Avira URL Cloud: malware	unknown
https://api.2ip.ua/geo.json	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://mail.google.com/mail/?usp=installed_webapp	66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.avito.ru/	66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.activity.windows.com/v1/assets	66d5df681876c_file010924.exe, 00000007.00000003.1369978087.0000000003440000.00000004.00001000.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1353189092.0000000003440000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://substrate.office365.us/api/v2.0/Users(	66d5df681876c_file010924.exe, 00000007.00000003.1849432694.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.google.com/document/J	66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ctrip.com/	66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/:	66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://artifacts.dev.azure.com/office/_apis/symbol/symsrv/privacy-sdx.win32.bundle.js.map/e3b0c4429	66d5df681876c_file010924.exe, 00000007.00000003.1357385958.0000000003440000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/news?OCID=WSB_QS_NE&PC=wsbmsnqs	66d5df681876c_file010924.exe, 00000007.00000003.1850244069.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mail.google.com/mail/:	66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.leboncoin.fr/	66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://substrate.office365.us/imageB2/v1.0/users/	66d5df681876c_file010924.exe, 00000007.00000003.1849432694.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.google.com/document/:	66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.office.com/M365.Access	66d5df681876c_file010924.exe, 00000007.00000003.1849432694.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wetransfer.com/downloads(	66d5df681876c_file010924.exe, 0000000C.00000002.2491283799.0000000000716000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cajgtus.com/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200	66d5df681876c_file010924.exe, 0000000C.00000002.2491283799.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 0000000C.00000002.2491283799.0000000000638000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://mail.google.com/mail/J	66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://substrate.office.com/api/v2.0/Users(	66d5df681876c_file010924.exe, 00000007.00000003.1849432694.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.google.com/?lfhs=2	66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reddit.com/	66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/s/notifications/manifest/cr_install.html	66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/q	66d5df681876c_file010924.exe, 00000007.00000003.1273669336.000000000061C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reddit.com/	66d5df681876c_file010924.exe, 0000000C.00000003.1345160231.0000000003570000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://openjsf.org/	66d5df681876c_file010924.exe, 00000007.00000003.1847950905.0000000003300000.00000004.00001000.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1846853104.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.ca/	66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/?feature=ytca	66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.youtube.com/J	66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ebay.co.uk/	66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ebay.de/	66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.2ip.ua/geo.jsonQ	66d5df681876c_file010924.exe, 0000000C.00000002.2491283799.0000000000679000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.amazon.com/	66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cajgtus.com/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200GtY	66d5df681876c_file010924.exe, 0000000C.00000002.2491283799.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://api.2ip.ua/geo.jsoni	66d5df681876c_file010924.exe, 00000015.00000002.1394638850.0000000000708000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/finance?OCID=WSB_TL_FN&PC=wsbmsnqs	66d5df681876c_file010924.exe, 00000007.00000003.1850244069.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/geo.jsonj	66d5df681876c_file010924.exe, 00000002.00000003.1251308792.000000000064B000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000002.00000003.1251353345.000000000064E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://clients3.google.com/generate_204	66d5df681876c_file010924.exe, 00000007.00000003.1357773774.0000000003440000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.youtube.com/	66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://allegro.pl/	66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://underscorejs.org/LICENSE	66d5df681876c_file010924.exe, 00000007.00000003.1847950905.0000000003300000.00000004.00001000.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1846853104.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.2ip.ua/;	66d5df681876c_file010924.exe, 00000002.00000002.1252430363.000000000062D000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000002.00000003.1251377452.000000000062D000.00000004.00000020.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000002.00000003.1250134757.000000000062C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.bbc.co.uk/	66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bugzilla.mo	66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1877581489.0000000000545000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.2ip.ua/geo.jsonHB	66d5df681876c_file010924.exe, 00000015.00000002.1394638850.0000000000708000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/geo.jsonI8=d8	66d5df681876c_file010924.exe, 00000015.00000002.1394638850.0000000000796000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.youtube.com/	66d5df681876c_file010924.exe, 00000007.00000003.1345267437.0000000003440000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/geo.jsonPC	66d5df681876c_file010924.exe, 00000015.00000002.1394638850.0000000000708000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/geo.jsonWi	66d5df681876c_file010924.exe, 00000015.00000002.1394638850.0000000000708000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/	66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1877581489.0000000000545000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.iqiyi.com/	66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/9	66d5df681876c_file010924.exe, 0000000C.00000002.2491283799.0000000000679000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/react-native-community/react-native-netinfo	66d5df681876c_file010924.exe, 00000007.00000003.1357773774.0000000003440000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wetransfer.com/downloads/abe121434ad837dd5bdd038	66d5df681876c_file010924.exe, 0000000C.00000002.2491283799.0000000000716000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://mail.google.com/mail/installwebapp?usp=chrome_default	66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wetransfer.c	66d5df681876c_file010924.exe, 0000000C.00000002.2491283799.0000000000716000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://docs.google.com/presentation/J	66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.google.com/drive/installwebapp?usp=chrome_default	66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.amazon.com/	66d5df681876c_file010924.exe, 0000000C.00000003.1344918775.0000000003570000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mths.be/fromcodepoint	66d5df681876c_file010924.exe, 00000007.00000003.1850189989.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.google.com/document/installwebapp?usp=chrome_default	66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.twitter.com/	66d5df681876c_file010924.exe, 00000007.00000003.1345195304.0000000003440000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.office.com/	66d5df681876c_file010924.exe, 00000007.00000003.1849432694.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.google.com/presentation/:	66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.google.com/presentation/installwebapp?usp=chrome_default	66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/sports?OCID=WSB_TL_EL&PC=wsbmsnqs	66d5df681876c_file010924.exe, 00000007.00000003.1850244069.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/jsstyles/css-vendor	66d5df681876c_file010924.exe, 00000007.00000003.1847667825.0000000003300000.00000004.00001000.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1847950905.0000000003300000.00000004.00001000.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1846853104.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.openssl.org/support/faq.html	66d5df681876c_file010924.exe, 00000015.00000002.1393524836.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://docs.google.com/spreadsheets/J	66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error	66d5df681876c_file010924.exe, 00000000.00000002.1232991821.0000000002360000.00000040.00001000.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000002.00000002.1252295528.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000005.00000002.1261436866.00000000023E0000.00000040.00001000.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000006.00000002.1282193755.0000000002390000.00000040.00001000.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 0000000C.00000002.2488460103.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000014.00000002.1380613748.0000000002360000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.google.com/spreadsheets/?usp=installed_webapp	66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/focus-trap/tabbable/blob/master/LICENSE	66d5df681876c_file010924.exe, 00000007.00000003.1846853104.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.office.com/User.ReadWrite	66d5df681876c_file010924.exe, 00000007.00000003.1849432694.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://substrate.office.com/imageB2/v1.0/users/	66d5df681876c_file010924.exe, 00000007.00000003.1849432694.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ifeng.com/	66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://cajgtus.com/test1/get.phpj	66d5df681876c_file010924.exe, 0000000C.00000002.2491283799.0000000000679000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://api.2ip.ua/geo.jsonv	66d5df681876c_file010924.exe, 00000007.00000003.1273669336.0000000000656000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/weather?OCID=WSB_QS_WE&PC=wsbmsnqs	66d5df681876c_file010924.exe, 00000007.00000003.1850244069.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/geo.jsonp	66d5df681876c_file010924.exe, 00000015.00000002.1394638850.0000000000708000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.google.com/spreadsheets/:	66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://jedwatson.github.io/classnames	66d5df681876c_file010924.exe, 00000007.00000003.1847950905.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://wetransfer.com/downloads/abe121434ad837dd5bdd03878a14485820240531135509/34284d	66d5df681876c_file010924.exe, 0000000C.00000002.2491283799.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://wetransfer.com/downloads	66d5df681876c_file010924.exe, 0000000C.00000002.2491283799.0000000000716000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.nytimes.com/	66d5df681876c_file010924.exe, 00000007.00000003.1345122319.0000000003440000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://drive.google.com/:	66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/	66d5df681876c_file010924.exe, 00000015.00000002.1394638850.0000000000748000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.amazon.co.uk/	66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lodash.com/	66d5df681876c_file010924.exe, 00000007.00000003.1847950905.0000000003300000.00000004.00001000.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1846853104.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reactjs.org/docs/error-decoder.html?invariant=	66d5df681876c_file010924.exe, 00000007.00000003.1849676514.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://drive.google.com/J	66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.wykop.pl/	66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://twitter.com/	66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.olx.pl/	66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.2ip.ua/geo.jsonRx	66d5df681876c_file010924.exe, 0000000C.00000002.2491283799.0000000000638000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default	66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.amazon.fr/	66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/complete/	66d5df681876c_file010924.exe, 00000007.00000003.1877581489.000000000054B000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lodash.com/license	66d5df681876c_file010924.exe, 00000007.00000003.1847950905.0000000003300000.00000004.00001000.00020000.00000000.sdmp, 66d5df681876c_file010924.exe, 00000007.00000003.1846853104.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://docs.google.com/presentation/?usp=installed_webapp	66d5df681876c_file010924.exe, 00000007.00000003.1845252752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fb.me/react-polyfills	66d5df681876c_file010924.exe, 00000007.00000003.1849676514.0000000003300000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	api.2ip.ua	European Union		13335	CLOUDFLARENETUS	false
190.220.21.28	cajgtus.com	Argentina		19037	AMXArgentinaSAAR	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1503035
Start date and time:	2024-09-02 18:20:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	66d5df681876c_file010924.exe
Detection:	MAL
Classification:	mal100.rans.spre.troj.spyw.evad.winEXE@23/1373@4/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 66 Number of non-executed functions: 272
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe, UsoClient.exe
Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
VT rate limit hit for: 66d5df681876c_file010924.exe

Simulations

Behavior and APIs

Time	Type	Description
12:21:13	API Interceptor	1x Sleep call for process: 66d5df681876c_file010924.exe modified
18:21:06	Task Scheduler	Run new task: Time Trigger Task path: C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe s>--Task
18:21:08	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe" --AutoStart
18:21:17	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe" --AutoStart

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	firmware.armv5l.elf	Get hash	malicious	Unknown	Browse	188.114.97.3/
	firmware.i586.elf	Get hash	malicious	Unknown	Browse	188.114.97.3/
	play.exe	Get hash	malicious	FormBook	Browse	www.playdoge.buzz/dkjp/
	SecuriteInfo.com.Trojan.DownLoader47.19820.5694.3811.exe	Get hash	malicious	Unknown	Browse	rustmacro.ru/autoupdate.exe
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/DGApDW0P/download
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/DGApDW0P/download
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	filetransfer.io/data-package/8hthkO24/download
	gHPYUEh253.exe	Get hash	malicious	Djvu, Neoreklami, Stealc, Vidar, Xmrig	Browse	joxi.net/4Ak49WQH0GE3Nr.mp3
	Izvod racuna u prilogu.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.coinwab.com/kqqj/
	file.exe	Get hash	malicious	LummaC	Browse	joxi.net/4Ak49WQH0GE3Nr.mp3
190.220.21.28	CbLDghhFAW.exe	Get hash	malicious	SmokeLoader	Browse	yosoborno.com/tmp/
	8xFzJWrEIa.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, RedLine, SmokeLoader, Vidar	Browse	sajdfue.com/test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637
	file.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, SmokeLoader, Vidar	Browse	sajdfue.com/files/1/build3.exe
	file.exe	Get hash	malicious	SmokeLoader	Browse	nidoe.org/tmp/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cajgtus.com	3QKcKCEzYP.exe	Get hash	malicious	LummaC, Djvu, Go Injector, LummaC Stealer, Neoreklami, Stealc, SystemBC	Browse	190.13.174.94
	file.exe	Get hash	malicious	Babuk, Djvu	Browse	109.175.29.39
	file.exe	Get hash	malicious	Babuk, Djvu	Browse	58.151.148.90
	file.exe	Get hash	malicious	Babuk, Djvu	Browse	109.175.29.39
	setup.exe	Get hash	malicious	Babuk, Djvu	Browse	211.181.24.133
	setup.exe	Get hash	malicious	Babuk, Djvu	Browse	211.181.24.133
	setup.exe	Get hash	malicious	Babuk, Djvu	Browse	175.119.10.231
	setup.exe	Get hash	malicious	Babuk, Djvu	Browse	181.204.98.226
	setup.exe	Get hash	malicious	Babuk, Djvu	Browse	190.12.87.61
	TfsbrHNaOX.exe	Get hash	malicious	Djvu	Browse	78.89.199.216
api.2ip.ua	tsnsd8pOvn.exe	Get hash	malicious	Babuk, Djvu	Browse	188.114.97.3
	3QKcKCEzYP.exe	Get hash	malicious	LummaC, Djvu, Go Injector, LummaC Stealer, Neoreklami, Stealc, SystemBC	Browse	188.114.96.3
	file.exe	Get hash	malicious	Babuk, Djvu	Browse	188.114.96.3
	C0XWmZAnYk.exe	Get hash	malicious	Babuk, Djvu	Browse	188.114.96.3
	284ae9899ae53d03d27bd3f72892d843fe5bbecb097f5.exe	Get hash	malicious	Amadey, DarkTortilla, Djvu, LummaC Stealer, RedLine, Stealc, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	Babuk, Djvu	Browse	188.114.97.3
	setup.exe	Get hash	malicious	Babuk, Djvu	Browse	188.114.96.3
	e8997f96b91ab5ea1fed555a7d62369a8307b0cfcbd0e32c5e9a7e430ab42240.zip	Get hash	malicious	Djvu	Browse	188.114.97.3
	A9095F44928219267930271D2AD000C7B2F7F2616DB4AD186E5D3AA283D14764.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	188.114.96.3
	DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe	Get hash	malicious	Babuk, Bdaejec, Djvu, Zorab	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	66d5ddcec1520_shtr.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.96.3
	66d5ddcbb9f86_vyre.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
	Rfq_last_quater_product_purchase_order_import_list_2024_000000.cmd	Get hash	malicious	GuLoader, Remcos	Browse	104.21.2.94
	Shipping Documents.bat.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SolaraBoostrapper.exe	Get hash	malicious	Blank Grabber	Browse	162.159.135.232
	Solara_Executorv2.1.exe.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Setup_v1.47.exe	Get hash	malicious	LummaC	Browse	104.21.69.149
	https://forms.office.com/e/SK99GFntNY%9C%D1%96%D165qvqrYAVfmSXl6ObkQscukzhydtenmpez65qvqrYAVfmSXl6ObkQs?owla=529Kjosg2d	Get hash	malicious	HTMLPhisher	Browse	104.21.57.226
	05HbyP1HCy.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	UXJM4UoKhk.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
AMXArgentinaSAAR	Vertexgroup#Signature.pdf	Get hash	malicious	Unknown	Browse	23.76.39.75
	CbLDghhFAW.exe	Get hash	malicious	SmokeLoader	Browse	190.220.21.28
	ExeFile (260).exe	Get hash	malicious	Emotet	Browse	190.220.19.82
	7HddY6rYkf.elf	Get hash	malicious	Mirai	Browse	200.80.200.184
	arm.elf	Get hash	malicious	Mirai	Browse	190.3.44.186
	https://bushelman-my.sharepoint.com/:b:/p/lance/ESXtc6Laa05KpaC4W3rpMEMBfLSUU1GZhgfhBL8opRqFHg?e=Wrw3le	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	23.76.37.146
	[EXTERNAL] New file received.eml	Get hash	malicious	HTMLPhisher	Browse	23.76.37.146
	JfOWsh7v0r.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	23.76.43.59
	8xFzJWrEIa.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, RedLine, SmokeLoader, Vidar	Browse	190.220.21.28
	SecuriteInfo.com.Win32.CoinminerX-gen.23583.11262.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	23.76.43.59

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	66d5ddcec1520_shtr.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.97.3
	66d5ddcbb9f86_vyre.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	Rfq_last_quater_product_purchase_order_import_list_2024_000000.cmd	Get hash	malicious	GuLoader, Remcos	Browse	188.114.97.3
	Unlock_Tool_5.0.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	188.114.97.3
	oEijqRFE2K.exe	Get hash	malicious	GuLoader	Browse	188.114.97.3
	1RGKUwuqi0.exe	Get hash	malicious	Remcos, PureLog Stealer, XRed	Browse	188.114.97.3
	4Z8GoGGGLH.exe	Get hash	malicious	GuLoader	Browse	188.114.97.3
	x64__installer___v4.8.6.msi	Get hash	malicious	Unknown	Browse	188.114.97.3
	anziOUzZJs.exe	Get hash	malicious	Remcos	Browse	188.114.97.3
	4Z8GoGGGLH.exe	Get hash	malicious	GuLoader	Browse	188.114.97.3

Process:	C:\Users\user\Desktop\66d5df681876c_file010924.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1381
Entropy (8bit):	4.87972850781078
Encrypted:	false
SSDEEP:	24:FS5ZHPnIekFQjhRe9bgnYfJeKAUEuWEYNKCzmFRqrs6314kA+GT/kF5M2/kJw3Rx:WZHfv0pfNAU5WEYNKCzPs41rDGT0f/k0
MD5:	242ED9093DBD2B45ED7A82B7BCCFEF72
SHA1:	FF3E9910D40999CA2F85F642F4AD7DDE53F9CFDE
SHA-256:	D8C1F5BD75A74514C114D902DD449FAE1ACAF6856B3EBD2BD6E3319BCE2ED968
SHA-512:	65196DA7590F9AC581160AFF99A15BAC5435A989EB48F668519CE31416DBE7BAA74DFFC446FFBA082AE9FC0AD26E3CEFBFAEAD245C81F4B7C72C2DB1605292F9
Malicious:	true
Reputation:	low
Preview:	ATTENTION!....Don't worry, you can return all your files!..All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key...The only method of recovering files is to purchase decrypt tool and unique key for you...This software will decrypt all your encrypted files...What guarantees you have?..You can send one of your encrypted file from your PC and we decrypt it for free...But we can decrypt only 1 file for free. File must not contain valuable information...Do not ask assistants from youtube and recovery data sites for help in recovering your data...They can use your free decryption quota and scam you...Our contact is emails in this text document only...You can get and look video overview decrypt tool:..https://wetransfer.com/downloads/abe121434ad837dd5bdd03878a14485820240531135509/34284d..Price of private key and decrypt software is $999...Discount 50% available if you contact us first 72 hours, that's price for you is $49

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.21116287983223
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	66d5df681876c_file010924.exe
File size:	831'488 bytes
MD5:	7972b08246e568495d9d116fc2d0b159
SHA1:	3e12225494f08369858453fd9fc7481b4f788165
SHA256:	2a6c90c8db27e6ac04c7e339dfe4b3c2d47a292bcf6fc1c5b4e0ae62fc81ff84
SHA512:	f0ead246f31d1badb3cd5fd67cb5b3081f027fdad44dd50364734d61722f1bc2cacb1ad5d842ca3f7000a2699e7bdf059a508b54a95f5e155ae274d70e833ff7
SSDEEP:	24576:60oeRhL4Zihw/WaRupypku1ADMH0h0kT:60J482RuRuQMm
TLSH:	6C05024253E1AD20D5A2EB32DE3EF6F4762DB8019E687B5A23187F3F19711D2C522315
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........H.z...z...z.......z....!..z.......z....,..z...z...z.......z....%..z...."..z..Rich.z..................PE..L....i.e...........

Entrypoint:	0x404daa
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x65E669FA [Tue Mar 5 00:40:26 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	00e87a3230db3a6bdb4035240d620685

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa14ac	0x50	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x24a000	0x122d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa14fc	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3458	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1d0	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa0f6a	0xa1000	8e869e41c537fd6818f668f3622b2576	False	0.9477205454192547	data	7.924714226500883	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xa2000	0x1a7328	0x17800	05385c9d6b330d1fba3da24534ed356c	False	0.019707862367021278	data	0.2581819585895258	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x24a000	0x122d0	0x12400	9956e1605deee370ffeb98ebc4d9536b	False	0.3544520547945205	data	4.516383046908406	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AFX_DIALOG_LAYOUT	0x256f48	0xe	data			1.5714285714285714
AFX_DIALOG_LAYOUT	0x256f58	0x2	data			5.0
RT_CURSOR	0x256f60	0x330	Device independent bitmap graphic, 48 x 96 x 1, image size 0			0.1948529411764706
RT_CURSOR	0x257290	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.33223684210526316
RT_CURSOR	0x2573e8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.26439232409381663
RT_CURSOR	0x258290	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.3686823104693141
RT_CURSOR	0x258b38	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.49060693641618497
RT_CURSOR	0x2590d0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.27238805970149255
RT_CURSOR	0x259f78	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.375
RT_CURSOR	0x25a820	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5057803468208093
RT_ICON	0x24a830	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Tamil	India	0.4672174840085288
RT_ICON	0x24a830	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Tamil	Sri Lanka	0.4672174840085288
RT_ICON	0x24b6d8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Tamil	India	0.5753610108303249
RT_ICON	0x24b6d8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Tamil	Sri Lanka	0.5753610108303249
RT_ICON	0x24bf80	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Tamil	India	0.6394009216589862
RT_ICON	0x24bf80	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Tamil	Sri Lanka	0.6394009216589862
RT_ICON	0x24c648	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Tamil	India	0.6936416184971098
RT_ICON	0x24c648	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Tamil	Sri Lanka	0.6936416184971098
RT_ICON	0x24cbb0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Tamil	India	0.3565352697095436
RT_ICON	0x24cbb0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Tamil	Sri Lanka	0.3565352697095436
RT_ICON	0x24f158	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Tamil	India	0.44394934333958724
RT_ICON	0x24f158	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Tamil	Sri Lanka	0.44394934333958724
RT_ICON	0x250200	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Tamil	India	0.519672131147541
RT_ICON	0x250200	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Tamil	Sri Lanka	0.519672131147541
RT_ICON	0x250b88	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Tamil	India	0.6152482269503546
RT_ICON	0x250b88	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Tamil	Sri Lanka	0.6152482269503546
RT_ICON	0x251068	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	India	0.3675373134328358
RT_ICON	0x251068	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	Sri Lanka	0.3675373134328358
RT_ICON	0x251f10	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	India	0.453971119133574
RT_ICON	0x251f10	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	Sri Lanka	0.453971119133574
RT_ICON	0x2527b8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	India	0.45794930875576034
RT_ICON	0x2527b8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	Sri Lanka	0.45794930875576034
RT_ICON	0x252e80	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	India	0.4552023121387283
RT_ICON	0x252e80	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	Sri Lanka	0.4552023121387283
RT_ICON	0x2533e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	India	0.26815352697095435
RT_ICON	0x2533e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	Sri Lanka	0.26815352697095435
RT_ICON	0x255990	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	India	0.31097560975609756
RT_ICON	0x255990	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	Sri Lanka	0.31097560975609756
RT_ICON	0x256a38	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	India	0.3528368794326241
RT_ICON	0x256a38	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	Sri Lanka	0.3528368794326241
RT_DIALOG	0x25b028	0x58	data			0.8977272727272727
RT_STRING	0x25b080	0x3b8	AmigaOS bitmap font "o", fc_YSize 26880, 22528 elements, 2nd "a", 3rd "v"	Tamil	India	0.4653361344537815
RT_STRING	0x25b080	0x3b8	AmigaOS bitmap font "o", fc_YSize 26880, 22528 elements, 2nd "a", 3rd "v"	Tamil	Sri Lanka	0.4653361344537815
RT_STRING	0x25b438	0x536	data	Tamil	India	0.444527736131934
RT_STRING	0x25b438	0x536	data	Tamil	Sri Lanka	0.444527736131934
RT_STRING	0x25b970	0x1f4	data	Tamil	India	0.518
RT_STRING	0x25b970	0x1f4	data	Tamil	Sri Lanka	0.518
RT_STRING	0x25bb68	0x508	data	Tamil	India	0.4409937888198758
RT_STRING	0x25bb68	0x508	data	Tamil	Sri Lanka	0.4409937888198758
RT_STRING	0x25c070	0x260	data	Tamil	India	0.4934210526315789
RT_STRING	0x25c070	0x260	data	Tamil	Sri Lanka	0.4934210526315789
RT_ACCELERATOR	0x256f08	0x40	data	Tamil	India	0.875
RT_ACCELERATOR	0x256f08	0x40	data	Tamil	Sri Lanka	0.875
RT_GROUP_CURSOR	0x2573c0	0x22	data			1.0294117647058822
RT_GROUP_CURSOR	0x2590a0	0x30	data			0.9375
RT_GROUP_CURSOR	0x25ad88	0x30	data			0.9375
RT_GROUP_ICON	0x250ff0	0x76	data	Tamil	India	0.6610169491525424
RT_GROUP_ICON	0x250ff0	0x76	data	Tamil	Sri Lanka	0.6610169491525424
RT_GROUP_ICON	0x256ea0	0x68	data	Tamil	India	0.7115384615384616
RT_GROUP_ICON	0x256ea0	0x68	data	Tamil	Sri Lanka	0.7115384615384616
RT_VERSION	0x25adb8	0x26c	data			0.5419354838709678

DLL	Import
KERNEL32.dll	CreateJobObjectW, InterlockedCompareExchange, UnlockFile, CreateHardLinkA, GetTickCount, GetNumberFormatA, GetConsoleAliasExesW, SetCommState, GlobalAlloc, LoadLibraryW, LocalShrink, GetCalendarInfoA, SetVolumeMountPointA, GetSystemWindowsDirectoryA, GetConsoleAliasExesLengthW, SetConsoleCP, GetFileAttributesA, GetModuleFileNameW, CreateActCtxA, GetThreadPriorityBoost, VerifyVersionInfoW, GetLogicalDriveStringsA, GetCurrentDirectoryW, SetLastError, GetProcAddress, CreateNamedPipeA, GetConsoleDisplayMode, GetProcessVersion, SetEnvironmentVariableW, InterlockedExchangeAdd, CreateFileMappingW, GetNumberFormatW, CreateEventW, OpenEventA, QueryDosDeviceW, GlobalWire, EnumDateFormatsA, EnumResourceNamesA, VirtualProtect, WaitForDebugEvent, PeekConsoleInputA, GetShortPathNameW, SetProcessShutdownParameters, SetFileShortNameA, GetDiskFreeSpaceExA, ReadConsoleInputW, GetTempPathA, EnumCalendarInfoExA, LCMapStringW, CommConfigDialogW, HeapReAlloc, RtlUnwind, HeapSize, RaiseException, SetDefaultCommConfigW, GetCurrentProcess, SetEndOfFile, LoadLibraryA, GetLocaleInfoA, MultiByteToWideChar, GetLastError, HeapFree, HeapAlloc, GetModuleHandleW, ExitProcess, DecodePointer, GetCommandLineW, HeapSetInformation, GetStartupInfoW, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetCurrentThreadId, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, IsProcessorFeaturePresent, HeapCreate, WriteFile, GetStdHandle, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, WideCharToMultiByte, GetStringTypeW, Sleep
USER32.dll	LoadMenuW, CharUpperW, GetSysColor, GetMenuStringA, GetCaretPos, DrawStateA
GDI32.dll	GetCharWidthFloatA, CreateDCW, GetCharWidth32A, GetBitmapBits

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 2, 2024 18:21:05.171914101 CEST	49701	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:05.171938896 CEST	443	49701	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:05.172029972 CEST	49701	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:05.191123009 CEST	49701	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:05.191139936 CEST	443	49701	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:05.663440943 CEST	443	49701	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:05.663573027 CEST	49701	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:06.030391932 CEST	49701	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:06.030437946 CEST	443	49701	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:06.030831099 CEST	443	49701	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:06.030888081 CEST	49701	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:06.034231901 CEST	49701	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:06.080511093 CEST	443	49701	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:06.383085012 CEST	443	49701	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:06.383148909 CEST	49701	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:06.383162975 CEST	443	49701	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:06.383177996 CEST	443	49701	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:06.383203983 CEST	49701	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:06.383233070 CEST	49701	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:06.410352945 CEST	49701	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:06.410386086 CEST	443	49701	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:07.537579060 CEST	49702	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:07.537630081 CEST	443	49702	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:07.537697077 CEST	49702	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:07.549346924 CEST	49702	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:07.549371004 CEST	443	49702	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:08.019217014 CEST	443	49702	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:08.019380093 CEST	49702	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:08.032217979 CEST	49702	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:08.032238960 CEST	443	49702	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:08.032557011 CEST	443	49702	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:08.032619953 CEST	49702	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:08.034214973 CEST	49702	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:08.076512098 CEST	443	49702	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:08.619009018 CEST	443	49702	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:08.619105101 CEST	49702	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:08.619118929 CEST	443	49702	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:08.619128942 CEST	443	49702	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:08.619167089 CEST	49702	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:08.619204044 CEST	49702	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:08.670838118 CEST	49702	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:08.670874119 CEST	443	49702	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:09.797396898 CEST	49703	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:09.797449112 CEST	443	49703	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:09.797518015 CEST	49703	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:09.809150934 CEST	49703	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:09.809184074 CEST	443	49703	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:10.247605085 CEST	443	49703	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:10.247682095 CEST	49703	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:10.253017902 CEST	49703	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:10.253027916 CEST	443	49703	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:10.253269911 CEST	443	49703	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:10.253326893 CEST	49703	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:10.264075994 CEST	49703	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:10.304502010 CEST	443	49703	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:10.605998039 CEST	443	49703	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:10.606059074 CEST	49703	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:10.606079102 CEST	443	49703	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:10.606107950 CEST	443	49703	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:10.606127977 CEST	49703	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:10.606163025 CEST	49703	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:10.606975079 CEST	49703	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:10.606991053 CEST	443	49703	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:11.248816967 CEST	49705	80	192.168.2.7	190.220.21.28
Sep 2, 2024 18:21:11.249927998 CEST	49706	80	192.168.2.7	190.220.21.28
Sep 2, 2024 18:21:11.253730059 CEST	80	49705	190.220.21.28	192.168.2.7
Sep 2, 2024 18:21:11.253797054 CEST	49705	80	192.168.2.7	190.220.21.28
Sep 2, 2024 18:21:11.254311085 CEST	49705	80	192.168.2.7	190.220.21.28
Sep 2, 2024 18:21:11.254697084 CEST	80	49706	190.220.21.28	192.168.2.7
Sep 2, 2024 18:21:11.254772902 CEST	49706	80	192.168.2.7	190.220.21.28
Sep 2, 2024 18:21:11.256473064 CEST	49706	80	192.168.2.7	190.220.21.28
Sep 2, 2024 18:21:11.259093046 CEST	80	49705	190.220.21.28	192.168.2.7
Sep 2, 2024 18:21:11.261514902 CEST	80	49706	190.220.21.28	192.168.2.7
Sep 2, 2024 18:21:13.756006002 CEST	80	49705	190.220.21.28	192.168.2.7
Sep 2, 2024 18:21:13.756026983 CEST	80	49705	190.220.21.28	192.168.2.7
Sep 2, 2024 18:21:13.756041050 CEST	80	49706	190.220.21.28	192.168.2.7
Sep 2, 2024 18:21:13.756115913 CEST	80	49706	190.220.21.28	192.168.2.7
Sep 2, 2024 18:21:13.756127119 CEST	80	49705	190.220.21.28	192.168.2.7
Sep 2, 2024 18:21:13.756136894 CEST	80	49706	190.220.21.28	192.168.2.7
Sep 2, 2024 18:21:13.756181955 CEST	49705	80	192.168.2.7	190.220.21.28
Sep 2, 2024 18:21:13.756182909 CEST	49706	80	192.168.2.7	190.220.21.28
Sep 2, 2024 18:21:13.756232023 CEST	49705	80	192.168.2.7	190.220.21.28
Sep 2, 2024 18:21:13.756232023 CEST	49706	80	192.168.2.7	190.220.21.28
Sep 2, 2024 18:21:13.757093906 CEST	80	49705	190.220.21.28	192.168.2.7
Sep 2, 2024 18:21:13.757400990 CEST	80	49706	190.220.21.28	192.168.2.7
Sep 2, 2024 18:21:13.757453918 CEST	49705	80	192.168.2.7	190.220.21.28
Sep 2, 2024 18:21:13.757453918 CEST	49706	80	192.168.2.7	190.220.21.28
Sep 2, 2024 18:21:13.758354902 CEST	80	49706	190.220.21.28	192.168.2.7
Sep 2, 2024 18:21:13.758415937 CEST	49706	80	192.168.2.7	190.220.21.28
Sep 2, 2024 18:21:13.758697987 CEST	80	49705	190.220.21.28	192.168.2.7
Sep 2, 2024 18:21:13.758794069 CEST	49705	80	192.168.2.7	190.220.21.28
Sep 2, 2024 18:21:13.859994888 CEST	49705	80	192.168.2.7	190.220.21.28
Sep 2, 2024 18:21:13.872044086 CEST	80	49705	190.220.21.28	192.168.2.7
Sep 2, 2024 18:21:13.947313070 CEST	49706	80	192.168.2.7	190.220.21.28
Sep 2, 2024 18:21:13.954180956 CEST	80	49706	190.220.21.28	192.168.2.7
Sep 2, 2024 18:21:19.628081083 CEST	49712	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:19.628129005 CEST	443	49712	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:19.628190041 CEST	49712	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:19.658862114 CEST	49712	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:19.658876896 CEST	443	49712	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:20.290790081 CEST	443	49712	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:20.290870905 CEST	49712	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:20.294889927 CEST	49712	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:20.294899940 CEST	443	49712	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:20.295150042 CEST	443	49712	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:20.295203924 CEST	49712	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:20.296715021 CEST	49712	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:20.344501972 CEST	443	49712	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:20.656244040 CEST	443	49712	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:20.656351089 CEST	443	49712	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:20.656367064 CEST	49712	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:20.656450033 CEST	49712	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:20.657322884 CEST	49712	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:20.657344103 CEST	443	49712	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:32.140438080 CEST	49725	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:32.140499115 CEST	443	49725	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:32.140571117 CEST	49725	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:32.167256117 CEST	49725	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:32.167298079 CEST	443	49725	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:32.692122936 CEST	443	49725	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:32.692296028 CEST	49725	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:32.701266050 CEST	49725	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:32.701284885 CEST	443	49725	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:32.701502085 CEST	443	49725	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:32.701632977 CEST	49725	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:32.803451061 CEST	49725	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:32.848511934 CEST	443	49725	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:33.150588036 CEST	443	49725	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:33.150684118 CEST	443	49725	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:33.150790930 CEST	49725	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:33.150791883 CEST	49725	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:33.151783943 CEST	49725	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:33.151806116 CEST	443	49725	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:44.016531944 CEST	49727	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:44.016577959 CEST	443	49727	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:44.016657114 CEST	49727	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:44.030432940 CEST	49727	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:44.030442953 CEST	443	49727	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:44.492352962 CEST	443	49727	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:44.492446899 CEST	49727	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:44.497380972 CEST	49727	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:44.497396946 CEST	443	49727	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:44.497613907 CEST	443	49727	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:44.497658968 CEST	49727	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:44.499197960 CEST	49727	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:44.544503927 CEST	443	49727	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:44.860797882 CEST	443	49727	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:44.860908985 CEST	443	49727	188.114.97.3	192.168.2.7
Sep 2, 2024 18:21:44.861002922 CEST	49727	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:44.863576889 CEST	49727	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:21:44.863600969 CEST	443	49727	188.114.97.3	192.168.2.7
Sep 2, 2024 18:23:05.891160965 CEST	49731	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:23:05.891202927 CEST	443	49731	188.114.97.3	192.168.2.7
Sep 2, 2024 18:23:05.891279936 CEST	49731	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:23:05.903120041 CEST	49731	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:23:05.903135061 CEST	443	49731	188.114.97.3	192.168.2.7
Sep 2, 2024 18:23:06.345822096 CEST	443	49731	188.114.97.3	192.168.2.7
Sep 2, 2024 18:23:06.345977068 CEST	49731	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:23:06.357278109 CEST	49731	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:23:06.357294083 CEST	443	49731	188.114.97.3	192.168.2.7
Sep 2, 2024 18:23:06.357539892 CEST	443	49731	188.114.97.3	192.168.2.7
Sep 2, 2024 18:23:06.357590914 CEST	49731	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:23:06.369554996 CEST	49731	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:23:06.416506052 CEST	443	49731	188.114.97.3	192.168.2.7
Sep 2, 2024 18:23:06.711565018 CEST	443	49731	188.114.97.3	192.168.2.7
Sep 2, 2024 18:23:06.711662054 CEST	443	49731	188.114.97.3	192.168.2.7
Sep 2, 2024 18:23:06.711853027 CEST	49731	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:23:06.714422941 CEST	49731	443	192.168.2.7	188.114.97.3
Sep 2, 2024 18:23:06.714445114 CEST	443	49731	188.114.97.3	192.168.2.7

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 2, 2024 18:21:05.137840033 CEST	51354	53	192.168.2.7	1.1.1.1
Sep 2, 2024 18:21:05.165405989 CEST	53	51354	1.1.1.1	192.168.2.7
Sep 2, 2024 18:21:08.893810034 CEST	57765	53	192.168.2.7	1.1.1.1
Sep 2, 2024 18:21:09.896008968 CEST	57765	53	192.168.2.7	1.1.1.1
Sep 2, 2024 18:21:10.895678043 CEST	57765	53	192.168.2.7	1.1.1.1
Sep 2, 2024 18:21:11.234044075 CEST	53	57765	1.1.1.1	192.168.2.7
Sep 2, 2024 18:21:11.234121084 CEST	53	57765	1.1.1.1	192.168.2.7
Sep 2, 2024 18:21:11.234132051 CEST	53	57765	1.1.1.1	192.168.2.7

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 18:21:11.254311085 CEST	139	OUT	GET /test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200&first=true HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: cajgtus.com
Sep 2, 2024 18:21:13.756006002 CEST	764	IN	HTTP/1.1 200 OK Date: Mon, 02 Sep 2024 16:21:18 GMT Server: Apache/2.4.37 (Win64) PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 560 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 7b 22 70 75 62 6c 69 63 5f 6b 65 79 22 3a 22 2d 2d 2d 2d 2d 42 45 47 49 4e 26 23 31 36 30 3b 50 55 42 4c 49 43 26 23 31 36 30 3b 4b 45 59 2d 2d 2d 2d 2d 5c 5c 6e 4d 49 49 42 49 6a 41 4e 42 67 6b 71 68 6b 69 47 39 77 30 42 41 51 45 46 41 41 4f 43 41 51 38 41 4d 49 49 42 43 67 4b 43 41 51 45 41 39 54 4c 48 66 75 77 67 4c 31 45 74 47 4e 77 5c 2f 77 35 65 56 5c 5c 6e 57 44 35 62 56 58 37 49 34 63 4f 55 53 78 79 47 37 59 70 62 41 6c 47 36 6b 4f 70 64 42 69 4e 6e 5a 4e 61 77 33 6f 30 75 37 77 54 79 4f 46 68 4c 31 6e 75 61 70 63 38 73 6c 57 6e 38 32 6c 48 6e 5c 5c 6e 62 76 78 4d 5a 75 6a 55 49 41 78 75 6a 57 48 7a 32 67 55 62 70 74 78 33 46 4c 70 4e 75 74 41 62 79 65 74 74 5c 2f 30 4c 36 78 7a 45 4d 58 46 6d 67 31 32 36 76 59 4d 2b 5c 2f 76 65 73 59 31 53 53 42 5c 5c 6e 50 78 45 73 4e 47 35 4c 6d 48 54 33 67 72 57 42 65 59 58 5c 2f 67 59 6f 75 47 62 7a 38 4f 6f 4c 54 6a 32 48 59 66 55 32 64 51 33 35 5a 30 44 36 6b 49 43 77 46 67 68 49 55 44 61 69 48 6c 42 2b 31 5c 5c 6e 71 51 35 71 5c 2f 46 5a 64 51 6c 7a [TRUNCATED] Data Ascii: {"public_key":"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9TLHfuwgL1EtGNw\/w5eV\\nWD5bVX7I4cOUSxyG7YpbAlG6kOpdBiNnZNaw3o0u7wTyOFhL1nuapc8slWn82lHn\\nbvxMZujUIAxujWHz2gUbptx3FLpNutAbyett\/0L6xzEMXFmg126vYM+\/vesY1SSB\\nPxEsNG5LmHT3grWBeYX\/gYouGbz8OoLTj2HYfU2dQ35Z0D6kICwFghIUDaiHlB+1\\nqQ5q\/FZdQlzkFIhimqtbS+HbzpJB4dnIF\/TD9iNmFWJwjyAjaJjfdV1npllllYLK\\n3lHt4qRVdUfJBn0puzHB218fzdgcivOuvxzrBR9zm8vj45HmdquPQv5T8abYGYIn\\nXwIDAQAB\\n-----END PUBLIC KEY-----\\n","id":"tp8qj68iQwedJUixDcnQEpfFZzicxmbmmdy7tJyT"}
Sep 2, 2024 18:21:13.757093906 CEST	764	IN	HTTP/1.1 200 OK Date: Mon, 02 Sep 2024 16:21:18 GMT Server: Apache/2.4.37 (Win64) PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 560 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 7b 22 70 75 62 6c 69 63 5f 6b 65 79 22 3a 22 2d 2d 2d 2d 2d 42 45 47 49 4e 26 23 31 36 30 3b 50 55 42 4c 49 43 26 23 31 36 30 3b 4b 45 59 2d 2d 2d 2d 2d 5c 5c 6e 4d 49 49 42 49 6a 41 4e 42 67 6b 71 68 6b 69 47 39 77 30 42 41 51 45 46 41 41 4f 43 41 51 38 41 4d 49 49 42 43 67 4b 43 41 51 45 41 39 54 4c 48 66 75 77 67 4c 31 45 74 47 4e 77 5c 2f 77 35 65 56 5c 5c 6e 57 44 35 62 56 58 37 49 34 63 4f 55 53 78 79 47 37 59 70 62 41 6c 47 36 6b 4f 70 64 42 69 4e 6e 5a 4e 61 77 33 6f 30 75 37 77 54 79 4f 46 68 4c 31 6e 75 61 70 63 38 73 6c 57 6e 38 32 6c 48 6e 5c 5c 6e 62 76 78 4d 5a 75 6a 55 49 41 78 75 6a 57 48 7a 32 67 55 62 70 74 78 33 46 4c 70 4e 75 74 41 62 79 65 74 74 5c 2f 30 4c 36 78 7a 45 4d 58 46 6d 67 31 32 36 76 59 4d 2b 5c 2f 76 65 73 59 31 53 53 42 5c 5c 6e 50 78 45 73 4e 47 35 4c 6d 48 54 33 67 72 57 42 65 59 58 5c 2f 67 59 6f 75 47 62 7a 38 4f 6f 4c 54 6a 32 48 59 66 55 32 64 51 33 35 5a 30 44 36 6b 49 43 77 46 67 68 49 55 44 61 69 48 6c 42 2b 31 5c 5c 6e 71 51 35 71 5c 2f 46 5a 64 51 6c 7a [TRUNCATED] Data Ascii: {"public_key":"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9TLHfuwgL1EtGNw\/w5eV\\nWD5bVX7I4cOUSxyG7YpbAlG6kOpdBiNnZNaw3o0u7wTyOFhL1nuapc8slWn82lHn\\nbvxMZujUIAxujWHz2gUbptx3FLpNutAbyett\/0L6xzEMXFmg126vYM+\/vesY1SSB\\nPxEsNG5LmHT3grWBeYX\/gYouGbz8OoLTj2HYfU2dQ35Z0D6kICwFghIUDaiHlB+1\\nqQ5q\/FZdQlzkFIhimqtbS+HbzpJB4dnIF\/TD9iNmFWJwjyAjaJjfdV1npllllYLK\\n3lHt4qRVdUfJBn0puzHB218fzdgcivOuvxzrBR9zm8vj45HmdquPQv5T8abYGYIn\\nXwIDAQAB\\n-----END PUBLIC KEY-----\\n","id":"tp8qj68iQwedJUixDcnQEpfFZzicxmbmmdy7tJyT"}
Sep 2, 2024 18:21:13.758697987 CEST	764	IN	HTTP/1.1 200 OK Date: Mon, 02 Sep 2024 16:21:18 GMT Server: Apache/2.4.37 (Win64) PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 560 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 7b 22 70 75 62 6c 69 63 5f 6b 65 79 22 3a 22 2d 2d 2d 2d 2d 42 45 47 49 4e 26 23 31 36 30 3b 50 55 42 4c 49 43 26 23 31 36 30 3b 4b 45 59 2d 2d 2d 2d 2d 5c 5c 6e 4d 49 49 42 49 6a 41 4e 42 67 6b 71 68 6b 69 47 39 77 30 42 41 51 45 46 41 41 4f 43 41 51 38 41 4d 49 49 42 43 67 4b 43 41 51 45 41 39 54 4c 48 66 75 77 67 4c 31 45 74 47 4e 77 5c 2f 77 35 65 56 5c 5c 6e 57 44 35 62 56 58 37 49 34 63 4f 55 53 78 79 47 37 59 70 62 41 6c 47 36 6b 4f 70 64 42 69 4e 6e 5a 4e 61 77 33 6f 30 75 37 77 54 79 4f 46 68 4c 31 6e 75 61 70 63 38 73 6c 57 6e 38 32 6c 48 6e 5c 5c 6e 62 76 78 4d 5a 75 6a 55 49 41 78 75 6a 57 48 7a 32 67 55 62 70 74 78 33 46 4c 70 4e 75 74 41 62 79 65 74 74 5c 2f 30 4c 36 78 7a 45 4d 58 46 6d 67 31 32 36 76 59 4d 2b 5c 2f 76 65 73 59 31 53 53 42 5c 5c 6e 50 78 45 73 4e 47 35 4c 6d 48 54 33 67 72 57 42 65 59 58 5c 2f 67 59 6f 75 47 62 7a 38 4f 6f 4c 54 6a 32 48 59 66 55 32 64 51 33 35 5a 30 44 36 6b 49 43 77 46 67 68 49 55 44 61 69 48 6c 42 2b 31 5c 5c 6e 71 51 35 71 5c 2f 46 5a 64 51 6c 7a [TRUNCATED] Data Ascii: {"public_key":"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9TLHfuwgL1EtGNw\/w5eV\\nWD5bVX7I4cOUSxyG7YpbAlG6kOpdBiNnZNaw3o0u7wTyOFhL1nuapc8slWn82lHn\\nbvxMZujUIAxujWHz2gUbptx3FLpNutAbyett\/0L6xzEMXFmg126vYM+\/vesY1SSB\\nPxEsNG5LmHT3grWBeYX\/gYouGbz8OoLTj2HYfU2dQ35Z0D6kICwFghIUDaiHlB+1\\nqQ5q\/FZdQlzkFIhimqtbS+HbzpJB4dnIF\/TD9iNmFWJwjyAjaJjfdV1npllllYLK\\n3lHt4qRVdUfJBn0puzHB218fzdgcivOuvxzrBR9zm8vj45HmdquPQv5T8abYGYIn\\nXwIDAQAB\\n-----END PUBLIC KEY-----\\n","id":"tp8qj68iQwedJUixDcnQEpfFZzicxmbmmdy7tJyT"}

Timestamp	Bytes transferred	Direction	Data
2024-09-02 16:21:06 UTC	85	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2024-09-02 16:21:06 UTC	897	IN	HTTP/1.1 200 OK Date: Mon, 02 Sep 2024 16:21:06 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close strict-transport-security: max-age=63072000; preload x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block; report=... access-control-allow-origin: * access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6HBp58CbRNL8lgOcddiHedDCKyZAilwEx2Yg%2F%2BxlwatRn1okj2KF9lryr%2FZ9UC09PPggLEwkuRvC1%2BbsIr%2FQSDUeCCh2nbRlLeb0HNQSGdUW9wI%2Bie%2BbqIlH5tiv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8bced4c90dfe43c8-EWR alt-svc: h3=":443"; ma=86400
2024-09-02 16:21:06 UTC	418	IN	Data Raw: 31 39 62 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 79 6f 72 6b 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63 5c 75 30 34 34 65 2d 5c 75 30 34 31 39 5c 75 30 34 33 65 5c 75 30 34 34 30 5c 75 30 34 33 61 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63 Data Ascii: 19b{"ip":"8.46.123.33","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"New york","region_rus":"\u041d\u044c\u044e-\u0419\u043e\u0440\u043a","region_ua":"\u041d\u044c
2024-09-02 16:21:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-09-02 16:21:08 UTC	85	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2024-09-02 16:21:08 UTC	893	IN	HTTP/1.1 200 OK Date: Mon, 02 Sep 2024 16:21:08 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close strict-transport-security: max-age=63072000; preload x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block; report=... access-control-allow-origin: * access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qdOrxk3%2FLAFhv3t8V8zUC0YUpfvJKmlBOjlZnnhHiJ7ViiQMSNjvHLEtLWHAWM%2Ff0yRSdNyomJs4p%2BbGL%2FdFTn94ru84e6ItLPzlolnCvCc1hjmT2EryZZ%2BBjPZJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8bced4d59dbb41c3-EWR alt-svc: h3=":443"; ma=86400
2024-09-02 16:21:08 UTC	418	IN	Data Raw: 31 39 62 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 79 6f 72 6b 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63 5c 75 30 34 34 65 2d 5c 75 30 34 31 39 5c 75 30 34 33 65 5c 75 30 34 34 30 5c 75 30 34 33 61 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63 Data Ascii: 19b{"ip":"8.46.123.33","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"New york","region_rus":"\u041d\u044c\u044e-\u0419\u043e\u0440\u043a","region_ua":"\u041d\u044c
2024-09-02 16:21:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-09-02 16:21:10 UTC	85	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2024-09-02 16:21:10 UTC	895	IN	HTTP/1.1 200 OK Date: Mon, 02 Sep 2024 16:21:10 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close strict-transport-security: max-age=63072000; preload x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block; report=... access-control-allow-origin: * access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cL%2F1CYVR%2FZt2a%2Fn2LqZBio1gwuZYiQZ2tiwFfagZloZzEa7Cw5DeMNlJ%2BGuOV3%2Fu9KvQ3IGsDmd9wpLuMJlXCVV7gzpJFgHndkrFhp1AcAcksEF7aYtrNvA8LK%2FS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8bced4e37f4480d9-EWR alt-svc: h3=":443"; ma=86400
2024-09-02 16:21:10 UTC	418	IN	Data Raw: 31 39 62 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 79 6f 72 6b 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63 5c 75 30 34 34 65 2d 5c 75 30 34 31 39 5c 75 30 34 33 65 5c 75 30 34 34 30 5c 75 30 34 33 61 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63 Data Ascii: 19b{"ip":"8.46.123.33","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"New york","region_rus":"\u041d\u044c\u044e-\u0419\u043e\u0440\u043a","region_ua":"\u041d\u044c
2024-09-02 16:21:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-09-02 16:21:20 UTC	85	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2024-09-02 16:21:20 UTC	891	IN	HTTP/1.1 200 OK Date: Mon, 02 Sep 2024 16:21:20 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close strict-transport-security: max-age=63072000; preload x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block; report=... access-control-allow-origin: * access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j3FlhCcQzAsr8ca3BOx0rW6ESAKe5o2uwlyagUKExtD1xQQyFa0k0zjzo%2BOcs81AS%2Fto7qf75n9Bb1fsTa%2FoXpPAjYcrP%2BCbrNcXYLJ8y3hTuYpSgjgApGosQMyx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8bced5224a90c44a-EWR alt-svc: h3=":443"; ma=86400
2024-09-02 16:21:20 UTC	418	IN	Data Raw: 31 39 62 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 79 6f 72 6b 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63 5c 75 30 34 34 65 2d 5c 75 30 34 31 39 5c 75 30 34 33 65 5c 75 30 34 34 30 5c 75 30 34 33 61 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63 Data Ascii: 19b{"ip":"8.46.123.33","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"New york","region_rus":"\u041d\u044c\u044e-\u0419\u043e\u0440\u043a","region_ua":"\u041d\u044c
2024-09-02 16:21:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-09-02 16:21:32 UTC	85	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2024-09-02 16:21:33 UTC	887	IN	HTTP/1.1 200 OK Date: Mon, 02 Sep 2024 16:21:33 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close strict-transport-security: max-age=63072000; preload x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block; report=... access-control-allow-origin: * access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sWRsTmEHCmcZZLus5cZ0E2LWDmSvqzWtRBZaASgoMd1foZi8cW7Qsoj9kWVZVve3r%2BJeIGEMCQNbnNeScwFxfGCWlG6ogx%2BFzqgUvr6GfNOVAT1clt00XhFS6QrN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8bced57048620cba-EWR alt-svc: h3=":443"; ma=86400
2024-09-02 16:21:33 UTC	418	IN	Data Raw: 31 39 62 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 79 6f 72 6b 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63 5c 75 30 34 34 65 2d 5c 75 30 34 31 39 5c 75 30 34 33 65 5c 75 30 34 34 30 5c 75 30 34 33 61 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63 Data Ascii: 19b{"ip":"8.46.123.33","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"New york","region_rus":"\u041d\u044c\u044e-\u0419\u043e\u0440\u043a","region_ua":"\u041d\u044c
2024-09-02 16:21:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-09-02 16:21:44 UTC	85	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2024-09-02 16:21:44 UTC	885	IN	HTTP/1.1 200 OK Date: Mon, 02 Sep 2024 16:21:44 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close strict-transport-security: max-age=63072000; preload x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block; report=... access-control-allow-origin: * access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lrsEQkKHkEVKpEClMIEZ1dsabluTJEhh6XDU6O2iHQsZmJx9i2B%2BTqpnzzAUXXGQqXvfhJKBxK2olsTVv7BnagqeropA9MDTM87OM3qSebNtTrReCpi4BiRFtZvd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8bced5b98ee00fa3-EWR alt-svc: h3=":443"; ma=86400
2024-09-02 16:21:44 UTC	418	IN	Data Raw: 31 39 62 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 79 6f 72 6b 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63 5c 75 30 34 34 65 2d 5c 75 30 34 31 39 5c 75 30 34 33 65 5c 75 30 34 34 30 5c 75 30 34 33 61 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63 Data Ascii: 19b{"ip":"8.46.123.33","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"New york","region_rus":"\u041d\u044c\u044e-\u0419\u043e\u0440\u043a","region_ua":"\u041d\u044c
2024-09-02 16:21:44 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-09-02 16:23:06 UTC	85	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2024-09-02 16:23:06 UTC	885	IN	HTTP/1.1 200 OK Date: Mon, 02 Sep 2024 16:23:06 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close strict-transport-security: max-age=63072000; preload x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block; report=... access-control-allow-origin: * access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6XVChI8RoYu09ds1HZJzpH9PvM7Ex6gztSLbGC1Bj0D1dOoOWfxTzkEKorOC6WLzk2wCpCJJ2o0DGqMyUkqQHld3tcAXnMcqIaL9yuWHKkoUAv3eVrg%2Fv79Fu3te"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8bced7b91d9c43af-EWR alt-svc: h3=":443"; ma=86400
2024-09-02 16:23:06 UTC	418	IN	Data Raw: 31 39 62 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 79 6f 72 6b 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63 5c 75 30 34 34 65 2d 5c 75 30 34 31 39 5c 75 30 34 33 65 5c 75 30 34 34 30 5c 75 30 34 33 61 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63 Data Ascii: 19b{"ip":"8.46.123.33","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"New york","region_rus":"\u041d\u044c\u044e-\u0419\u043e\u0440\u043a","region_ua":"\u041d\u044c
2024-09-02 16:23:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	12:21:03
Start date:	02/09/2024
Path:	C:\Users\user\Desktop\66d5df681876c_file010924.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\66d5df681876c_file010924.exe"
Imagebase:	0x400000
File size:	831'488 bytes
MD5 hash:	7972B08246E568495D9D116FC2D0B159
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1232942398.00000000022C9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000000.00000002.1232991821.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000000.00000002.1232991821.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Target ID:	4
Start time:	12:21:05
Start date:	02/09/2024
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	icacls "C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Imagebase:	0x9c0000
File size:	29'696 bytes
MD5 hash:	2E49585E4E08565F52090B144062F97E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	6
Start time:	12:21:06
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe --Task
Imagebase:	0x400000
File size:	831'488 bytes
MD5 hash:	7972B08246E568495D9D116FC2D0B159
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000006.00000002.1282127310.00000000022FE000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000006.00000002.1282193755.0000000002390000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000006.00000002.1282193755.0000000002390000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs
Reputation:	low
Has exited:	true

Target ID:	12
Start time:	12:21:08
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe --Task
Imagebase:	0x400000
File size:	831'488 bytes
MD5 hash:	7972B08246E568495D9D116FC2D0B159
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000C.00000002.2488460103.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000C.00000002.2488460103.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000C.00000002.2488460103.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 66d5df681876c_file010924.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Djvu

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\$WinREAgent\Scratch\_readme.txt

C:\$WinREAgent\_readme.txt

C:\SystemID\PersonalID.txt

C:\Users\user\.curlrc

C:\Users\user\.curlrc.watz (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old.watz (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old.watz (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LocalPrefs.json

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LocalPrefs.json.watz (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

Windows Analysis Report
66d5df681876c_file010924.exe

Target ID:	20
Start time:	12:21:17
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe" --AutoStart
Imagebase:	0x400000
File size:	831'488 bytes
MD5 hash:	7972B08246E568495D9D116FC2D0B159
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000014.00000002.1380517656.0000000002181000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000014.00000002.1380613748.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000014.00000002.1380613748.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Target ID:	21
Start time:	12:21:18
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe" --AutoStart
Imagebase:	0x400000
File size:	831'488 bytes
MD5 hash:	7972B08246E568495D9D116FC2D0B159
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000015.00000002.1393524836.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000015.00000002.1393524836.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000015.00000002.1393524836.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Target ID:	24
Start time:	14:17:52
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe --Task
Imagebase:	0x400000
File size:	831'488 bytes
MD5 hash:	7972B08246E568495D9D116FC2D0B159
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000018.00000002.1506583704.0000000002380000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000018.00000002.1506583704.0000000002380000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000018.00000002.1506412476.00000000022EA000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Target ID:	25
Start time:	14:17:54
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe --Task
Imagebase:	0x400000
File size:	831'488 bytes
MD5 hash:	7972B08246E568495D9D116FC2D0B159
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000019.00000002.1522339744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000019.00000002.1522339744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000019.00000002.1522339744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Target ID:	28
Start time:	14:18:04
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe" --AutoStart
Imagebase:	0x400000
File size:	831'488 bytes
MD5 hash:	7972B08246E568495D9D116FC2D0B159
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000001C.00000002.1624704973.000000000228E000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000001C.00000002.1624809590.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000001C.00000002.1624809590.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Target ID:	29
Start time:	14:18:05
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe" --AutoStart
Imagebase:	0x400000
File size:	831'488 bytes
MD5 hash:	7972B08246E568495D9D116FC2D0B159
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000001D.00000002.1635910279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000001D.00000002.1635910279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000001D.00000002.1635910279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Target ID:	32
Start time:	14:19:27
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\f2d62e47-6455-43f0-a9b7-09a9903ddbb8\66d5df681876c_file010924.exe --Task
Imagebase:	0x400000
File size:	831'488 bytes
MD5 hash:	7972B08246E568495D9D116FC2D0B159
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000020.00000002.2444319207.0000000002332000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000020.00000002.2444379499.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000020.00000002.2444379499.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	94.9%
Signature Coverage:	47.8%
Total number of Nodes:	136
Total number of Limit Nodes:	22

Execution Coverage:	1.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	39
Total number of Limit Nodes:	8

Execution Coverage:	5.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4%
Total number of Nodes:	1956
Total number of Limit Nodes:	177